'Re: Improper string concatenation in mod_alias allows code execution out of bounds defined in apache'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       apache-docs
Subject:    Re: Improper string concatenation in mod_alias allows code execution out of bounds defined in apache
From:       William A Rowe Jr <wrowe () rowe-clan ! net>
Date:       2016-02-08 17:32:58
Message-ID: CACsi250Mo-cU_=X10O68huUEXMzqSPC+xsATYKk8kh4AUwgH5Q () mail ! gmail ! com
[Download RAW message or body]

On Mon, Feb 8, 2016 at 11:21 AM, William A Rowe Jr <wrowe@rowe-clan.net>
wrote:

> I think my text below should have stated;
>
> Note that unexpected expansion occurs when trailing slashes are
> not balanced between the source url and target path.  For example,
> Alias / /usr/share/htdocs
> will resolve http://example.com/-private/ as /usr/share/htdocs-private/
> while
> Alias /content/ /usr/share/htdocs
> will similarly result in the the URL /content/-private/ resolving to the
> path /usr/share/htdocs-private/
>
> The statement could use some word-smithing.
>

An actual use-case that may exist in the wild would like;

Alias /user/ /path/to/users-

where

http://example.com/user/wrowe/ would map to /path/to/users-wrowe

Or some similar scenario to map to .../webapp-wrowe.  Lots of possible
but rare applications.

If we were to lock this behavior down with warnings, we might want
to introduce a run-immediate directive "AliasWarnConcatenation off"
that allows the "wiser" administrator to go without our stern warnings.

[Attachment #3 (text/html)]

<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Mon, Feb 8, 2016 \
at 11:21 AM, William A Rowe Jr <span dir="ltr">&lt;<a \
href="mailto:wrowe@rowe-clan.net" target="_blank">wrowe@rowe-clan.net</a>&gt;</span> \
wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px \
#ccc solid;padding-left:1ex"><div dir="ltr"><div><div><div>I think my text below \
should have stated;</div><div><br></div><div><span style="color:rgb(80,0,80)">Note \
that unexpected expansion occurs when trailing slashes  </span><span \
style="color:rgb(80,0,80)">are  </span></div><div><span \
style="color:rgb(80,0,80)">not balanced between the source url and target path.   For \
example,</span></div><div><span style="color:rgb(80,0,80)">Alias / \
/usr/share/htdocs</span></div><div><span style="color:rgb(80,0,80)">will resolve <a \
href="http://example.com/-private/" target="_blank">http://example.com/-private/</a> \
as /usr/share/htdocs-private/</span></div><div><span style="color:rgb(80,0,80)">while \
</span></div><div><span style="color:rgb(80,0,80)">Alias /content/ \
/usr/share/htdocs</span><br></div><div><font color="#500050">will similarly result in \
the the URL /content/-private/ resolving to the</font></div><div><span \
style="color:rgb(80,0,80)">path \
/usr/share/htdocs-private/</span></div><div><br></div><div>The statement could use \
some word-smithing.</div></div></div></div></blockquote><div><br></div><div>An actual \
use-case that may exist in the wild would like;</div><div><br></div><div>Alias /user/ \
/path/to/users-</div><div><br></div><div>where  </div><div><br></div><div><a \
href="http://example.com/user/wrowe/">http://example.com/user/wrowe/</a> would map to \
/path/to/users-wrowe</div><div><br></div><div>Or some similar scenario to map to \
.../webapp-wrowe.   Lots of possible</div><div>but rare \
applications.</div><div><br></div><div>If we were to lock this behavior down with \
warnings, we might want<br></div><div>to introduce a run-immediate directive \
&quot;AliasWarnConcatenation off&quot;</div><div>that allows the &quot;wiser&quot; \
administrator to go without our stern \
warnings.</div><div><br></div><div><br></div></div></div></div>



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic