Bug 55887 - In Windows apache, when user access to /con, apache returns 403 instead of 404(not found)
Summary: In Windows apache, when user access to /con, apache returns 403 instead of 40...
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: Core (show other bugs)
Version: 2.4.7
Hardware: PC All
: P2 major (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
Depends on:
Reported: 2013-12-16 04:30 UTC by anoooon
Modified: 2017-06-26 17:36 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description anoooon 2013-12-16 04:30:45 UTC

How to test:
1. Make an environment: Windows and Apache.
2. access to:

Returned result:
Apache returns 403.
Write "doesn't point to a file or directory" to apache's error log.

If an admin make a .htaccess which include ErrorDocument statement,
apache ignore it. (doesn't show ErrorDocument's one)

/ (root of htdocs)
/.htacccess (*)

ErrorDocument 403 /error.template.php
ErrorDocument 401 /error.template.php

<files "error.template.php">
Require all granted

Expected result:
Apache should return HTTP 404.

And also, attacker can determine whether the webserver OS is Windows or not
by accessing to /con.
Comment 1 William A. Rowe Jr. 2017-06-26 17:36:27 UTC
The behavior is correct, only REG and DIR entities can be allowed in the path, other entities such as CHR files must be forbidden.

Treating these as not-found may lead to further iterations by mod_speling and other modules attempting to work around the file name and potentially revealing concealed files. E.g. /CON -> notfound -> /.conf (redirected by mod_speling to a somewhat hidden file.)