[prev in list] [next in list] [prev in thread] [next in thread]
List: apache-docs
Subject: Re: Improper string concatenation in mod_alias allows code execution out of bounds defined in apache
From: William A Rowe Jr <wrowe () rowe-clan ! net>
Date: 2016-02-08 17:32:58
Message-ID: CACsi250Mo-cU_=X10O68huUEXMzqSPC+xsATYKk8kh4AUwgH5Q () mail ! gmail ! com
[Download RAW message or body]
On Mon, Feb 8, 2016 at 11:21 AM, William A Rowe Jr <wrowe@rowe-clan.net>
wrote:
> I think my text below should have stated;
>
> Note that unexpected expansion occurs when trailing slashes are
> not balanced between the source url and target path. For example,
> Alias / /usr/share/htdocs
> will resolve http://example.com/-private/ as /usr/share/htdocs-private/
> while
> Alias /content/ /usr/share/htdocs
> will similarly result in the the URL /content/-private/ resolving to the
> path /usr/share/htdocs-private/
>
> The statement could use some word-smithing.
>
An actual use-case that may exist in the wild would like;
Alias /user/ /path/to/users-
where
http://example.com/user/wrowe/ would map to /path/to/users-wrowe
Or some similar scenario to map to .../webapp-wrowe. Lots of possible
but rare applications.
If we were to lock this behavior down with warnings, we might want
to introduce a run-immediate directive "AliasWarnConcatenation off"
that allows the "wiser" administrator to go without our stern warnings.
[Attachment #3 (text/html)]
<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Mon, Feb 8, 2016 \
at 11:21 AM, William A Rowe Jr <span dir="ltr"><<a \
href="mailto:wrowe@rowe-clan.net" target="_blank">wrowe@rowe-clan.net</a>></span> \
wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px \
#ccc solid;padding-left:1ex"><div dir="ltr"><div><div><div>I think my text below \
should have stated;</div><div><br></div><div><span style="color:rgb(80,0,80)">Note \
that unexpected expansion occurs when trailing slashes </span><span \
style="color:rgb(80,0,80)">are </span></div><div><span \
style="color:rgb(80,0,80)">not balanced between the source url and target path. For \
example,</span></div><div><span style="color:rgb(80,0,80)">Alias / \
/usr/share/htdocs</span></div><div><span style="color:rgb(80,0,80)">will resolve <a \
href="http://example.com/-private/" target="_blank">http://example.com/-private/</a> \
as /usr/share/htdocs-private/</span></div><div><span style="color:rgb(80,0,80)">while \
</span></div><div><span style="color:rgb(80,0,80)">Alias /content/ \
/usr/share/htdocs</span><br></div><div><font color="#500050">will similarly result in \
the the URL /content/-private/ resolving to the</font></div><div><span \
style="color:rgb(80,0,80)">path \
/usr/share/htdocs-private/</span></div><div><br></div><div>The statement could use \
some word-smithing.</div></div></div></div></blockquote><div><br></div><div>An actual \
use-case that may exist in the wild would like;</div><div><br></div><div>Alias /user/ \
/path/to/users-</div><div><br></div><div>where </div><div><br></div><div><a \
href="http://example.com/user/wrowe/">http://example.com/user/wrowe/</a> would map to \
/path/to/users-wrowe</div><div><br></div><div>Or some similar scenario to map to \
.../webapp-wrowe. Lots of possible</div><div>but rare \
applications.</div><div><br></div><div>If we were to lock this behavior down with \
warnings, we might want<br></div><div>to introduce a run-immediate directive \
"AliasWarnConcatenation off"</div><div>that allows the "wiser" \
administrator to go without our stern \
warnings.</div><div><br></div><div><br></div></div></div></div>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic