Bug 55887 - In Windows apache, when user access to /con, apache returns 403 instead of 404(not found)
Summary: In Windows apache, when user access to /con, apache returns 403 instead of 40...
Status: RESOLVED INVALID
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: Core (show other bugs)
Version: 2.4.7
Hardware: PC All
: P2 major (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-12-16 04:30 UTC by anoooon
Modified: 2017-06-26 17:36 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description anoooon 2013-12-16 04:30:45 UTC
https://github.com/SpiderLabs/ModSecurity/issues/616
http://security.stackexchange.com/questions/47002/why-these-2-regexp-wont-work-as-expected-in-mod-security2

How to test:
1. Make an environment: Windows and Apache.
2. access to: https://127.0.0.1/con

Returned result:
Apache returns 403.
Write "doesn't point to a file or directory" to apache's error log.

If an admin make a .htaccess which include ErrorDocument statement,
apache ignore it. (doesn't show ErrorDocument's one)

ex.
/ (root of htdocs)
/.htacccess (*)
/index.html

(*)
-------------------
ErrorDocument 403 /error.template.php
ErrorDocument 401 /error.template.php

<files "error.template.php">
Require all granted
</files>
-------------------

Expected result:
Apache should return HTTP 404.

---
And also, attacker can determine whether the webserver OS is Windows or not
by accessing to /con.
Comment 1 William A. Rowe Jr. 2017-06-26 17:36:27 UTC
The behavior is correct, only REG and DIR entities can be allowed in the path, other entities such as CHR files must be forbidden.

Treating these as not-found may lead to further iterations by mod_speling and other modules attempting to work around the file name and potentially revealing concealed files. E.g. /CON -> notfound -> /.conf (redirected by mod_speling to a somewhat hidden file.)