Bug 49623 - CVE-2003-1418 - all httpd versions seem to expose inode values in FileEtag
Summary: CVE-2003-1418 - all httpd versions seem to expose inode values in FileEtag
Status: RESOLVED FIXED
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: Core (show other bugs)
Version: 2.5-HEAD
Hardware: All All
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords: FixedInTrunk
Depends on:
Blocks:
 
Reported: 2010-07-20 11:36 UTC by a.nurwono
Modified: 2015-04-14 06:14 UTC (History)
2 users (show)



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description a.nurwono 2010-07-20 11:36:58 UTC
Apache seems to simply hex-encodes inodes retrieved by fstat() directly into etags through simple encoding.

Apache 2.2.3 in httpd-2.2.3/modules/http/http_etag.c:
    next = etag_ulong_to_hex(next, (unsigned long)r->finfo.inode);

httpd-2.2.3/srclib/apr/file_io/unix/filestat.c:
    if (fstat(thefile->filedes, &info) == 0) {
...
    finfo->inode = info->st_ino;


This shows up as a security vulnerability through exposure of inode information for files hosted by httpd:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418

An example solution to the problem was posted on OpenBSD, which is to use a hash of the inode instead of directly presenting an encoded inode into the etag value:

http://ftp.openbsd.org/pub/OpenBSD/patches/3.2/common/008_httpd.patch


I propose that future versions of Apache would either have FileEtag -Inode turned on or have the inode be hashed by default.  (Preferably the original behavior could be optional instead i.e.  FileEtag -noInodehash )

This would prevent security scanners from flagging all apache implementations as vulnerable.

Thanks!
Comment 1 William A. Rowe Jr. 2011-09-01 21:21:54 UTC
Please provide a citation of how possessing an arbitrary identifier, the inode, represents either a local or remote exploit?

No, not the respective validation test that is failing, but an actual citation 
w.r.t. the value of an inode to exploiting a machine.  Validation vendors are
famous for not actually probing for vulnerabilities, but regurgitating them
based on version numbers.
Comment 2 Joe Orton 2011-09-05 13:07:21 UTC
Tomas Hoger pointed out that CVE-2003-1418 also mentions a pid leak in the byterange filter; I fixed that part in r1165268 since it seems cheap and harmless.
Comment 3 Tomas Hoger 2011-09-05 13:21:08 UTC
Comment suggests this part is probably redundant now after the change:
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/http/byterange_filter.c?view=markup&pathrev=1165268#l22
Comment 4 Phil Dietz 2011-09-15 15:34:13 UTC
I proprose that 'FileETag MTime Size' become the default along with the fix for the hex problem.  why expose inode in the 1st place... unless you need it.
Comment 5 Stefan Fritsch 2012-01-23 22:22:55 UTC
fixed in r1199086
Comment 6 Stefan Fritsch 2012-02-26 17:07:13 UTC
fixed in 2.4.1
Comment 7 Takashi Sato 2015-04-14 06:14:44 UTC
r1165268 was backported to 2.2 in r1165607, this was released on 2.2.21.
r1199086 has not been backported to 2.2 yet.