'[Full-Disclosure] Possible Apache directory rules bypass / override'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-Disclosure] Possible Apache directory rules bypass / override
From:       "Lorenzo Hernandez Garcia-Hierro" <novappc () novappc ! com>
Date:       2003-09-29 16:51:47
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi ,
I'm testing somethings in Apache about the url parsing of the server
,
i don't now if the Apache server parse completely provided urls when
those urls are in this format:

[PROTOCOL HTTP / HTTPS ][SITE]/[DIR TO OVERRIDE RULES]/../[DIR TO
OVERRIDE RULES]/../[DIR TO OVERRIDE RULES]/../[DIR TO OVERRIDE
RULES]/../[DIR TO OVERRIDE RULES]/../../[DIR TO OVERRIDE
RULES]/../../../[DIR WITH NO RULES OR ACCESS CONTROL]/../[THE SAME NO
CONTROLLED DIR OR OTHER NOT CONTROLLED]/../../../../[DIR WITH NO
CONTROL RULES]/../

If this can be possible , it can't affect ip based access controls
but other controls can be affected , or not ?

This is not a vulnerability because i can't confirm it but i want to
check the source code , i'm open for 
suggestions .

i'm posting this because i'm a little confused , and other
possibilities , if the url is encoded ? does Apache check
correctly this when it is encoded ?

One thing is sure:  this can not affect ip based rules such as deny
or allow

PS: can be this related with the mod_write vulnerabilities ?

Regards, 

- ------------------------------------------------------
Lorenzo Hernandez Garcia-Hierro
- ---       Security Consultant           ---
- ------------------NSRGroup-------------------
PGP: Keyfingerprint
B6D7 5FCC 78B4 97C1  4010 56BC 0E5F 2AB2
ID: 0x9C38E1D7
**********************************
NSRGroup 
( No Secure Root Group Security Research Team ) /
( NovaPPC Security Research Group )
http://security.novappc.com
______________________

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBP3hU8PKXc1fYDvGLEQLw/ACfUvIWyT86kiKZyctrzCwRiuuZTU0AoOyG
KWV9sdRESwgz1pQbenNAoDhb
=NjBX
-----END PGP SIGNATURE-----


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic