Next Page >>
htaccess
Title: CA20090429-01: CA ARCserve Backup Apache HTTP Server
Multiple Vulnerabilities
CA Advisory Reference: CA20090429-01
CA Advisory Date: 2009-04-29
Rapid7 Advisory R7-0033
Apache HTTP Server mod_proxy_ftp Wildcard Characters Cross-Site Scripting
Discovered: July 25, 2008
Published: August 5, 2008
Revision: 1.1
http://www.rapid7.com/advisories/R7-0033
CVE: CVE-2008-2939
Vendor: http://www.php.net
- --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly.
When using PHP as an Apache module, you can also change the configuration settings using directives in Apache configuration files (e.g. httpd.conf) and .htaccess files. You will need "AllowOverride Options" or "AllowOverride All" privileges to do so.
php_value name value
Sets the value of the specified directive. Can be used only with PHP_INI_ALL and PHP_INI_PERDIR type directives. To clear a previously set value use none as the value.
Note: Don't use php_value to set boolean values. php_flag (see below) should be used instead.
Multiple vulnerabilities has been found and corrected in apache:
Memory leak in the zlib_stateful_init function in crypto/comp/c_zlib.c
in libssl in OpenSSL 0.9.8f through 0.9.8h allows remote attackers to
cause a denial of service (memory consumption) via multiple calls, as
demonstrated by initial SSL client handshakes to the Apache HTTP Server
mod_ssl that specify a compression algorithm (CVE-2008-1678). Note
that this security issue does not really apply as zlib compression
is not enabled in the openssl build provided by Mandriva, but apache
is patched to address this issue anyway (conserns 2008.1 only).
Apache HTTP Server 2.2.22 Released
The Apache Software Foundation and the Apache HTTP Server Project are
pleased to announce the release of version 2.2.22 of the Apache HTTP
Server ("Apache"). This version of Apache is principally a security
and bug fix release, including the following significant security fixes:
* SECURITY: CVE-2011-3368 (cve.mitre.org)
Reject requests where the request-URI does not match the HTTP
specification, preventing unexpected expansion of target URLs in
127# cd /www/trafka
127# ls -la
total 12
drwxr-xr-x 2 www www 512 Sep 10 03:49 .
drwxr-xr-x 4 www www 512 Sep 10 03:41 ..
- -rw-r--r-- 1 www www 26 Sep 10 03:49 .htaccess
- -rw-r--r-- 1 www www 33 Sep 10 03:49 not.php
- -rw-r--r-- 1 www www 107 Sep 10 03:49 pufff.php
- -rw-r--r-- 1 www www 27 Sep 10 03:49 sleep.php
127# cat .htaccess
php_value error_log /etc/
in apr-util:
The apr_strmatch_precompile function in strmatch/apr_strmatch.c in
Apache APR-util before 1.3.5 allows remote attackers to cause a denial
of service (daemon crash) via crafted input involving (1) a .htaccess
file used with the Apache HTTP Server, (2) the SVNMasterURI directive
in the mod_dav_svn module in the Apache HTTP Server, (3) the mod_apreq2
module for the Apache HTTP Server, or (4) an application that uses
the libapreq2 library, related to an underflow flaw. (CVE-2009-0023).
The expat XML parser in the apr_xml_* interface in xml/apr_xml.c in
- ------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2009-0010
Synopsis: VMware Hosted products update libpng and Apache HTTP
Server
Issue date: 2009-08-20
Updated on: 2009-08-20 (initial release of advisory)
CVE numbers: CVE-2009-0040 CVE-2007-3847 CVE-2007-1863
CVE-2006-5752 CVE-2007-3304 CVE-2007-6388
in apr-util:
The apr_strmatch_precompile function in strmatch/apr_strmatch.c in
Apache APR-util before 1.3.5 allows remote attackers to cause a denial
of service (daemon crash) via crafted input involving (1) a .htaccess
file used with the Apache HTTP Server, (2) the SVNMasterURI directive
in the mod_dav_svn module in the Apache HTTP Server, (3) the mod_apreq2
module for the Apache HTTP Server, or (4) an application that uses
the libapreq2 library, related to an underflow flaw. (CVE-2009-0023).
The expat XML parser in the apr_xml_* interface in xml/apr_xml.c in
(CVE-2009-2412).
The apr_strmatch_precompile function in strmatch/apr_strmatch.c in
Apache APR-util before 1.3.5 allows remote attackers to cause a denial
of service (daemon crash) via crafted input involving (1) a .htaccess
file used with the Apache HTTP Server, (2) the SVNMasterURI directive
in the mod_dav_svn module in the Apache HTTP Server, (3) the mod_apreq2
module for the Apache HTTP Server, or (4) an application that uses
the libapreq2 library, related to an underflow flaw. (CVE-2009-0023).
The expat XML parser in the apr_xml_* interface in xml/apr_xml.c in
Even default smf installation doesn't even use htaccess to protect admin panel
On 11/6/07, Matt D. Harris <mdh@solitox.net> wrote:
> So what you're saying is that .htaccess is working as expected. What
> does this have to do with SMForum? Using .htaccess to protect the admin
> section is not at all standard in SMForum, so I'm not really sure how or
> why this is relevant. Furthermore, SMForum still has its own
> authentication mechanisms. This doesn't seem like a bug/issue at all,
> just software working as intended, even if someone chooses to use it in
------------------------------
Protection against this vulnerability.
------------------------------
For protection it's needed to use appropriate file .htaccess. And placed it
e.g. in folder wp-content, for denial of download of backups from the folder
with backups. Which I'm using from the time when found this vulnerability.
It can be bypassed with help of Arbitrary file deletion vulnerability
(http://websecurity.com.ua/1676/), which I wrote about in December 2007
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities in the Apache HTTP daemon allow for local
privilege escalation, information disclosure or Denial of Service
attacks.
Background
==========
Multiple vulnerabilities has been found and corrected in apache:
Memory leak in the zlib_stateful_init function in crypto/comp/c_zlib.c
in libssl in OpenSSL 0.9.8f through 0.9.8h allows remote attackers to
cause a denial of service (memory consumption) via multiple calls, as
demonstrated by initial SSL client handshakes to the Apache HTTP Server
mod_ssl that specify a compression algorithm (CVE-2008-1678). Note
that this security issue does not really apply as zlib compression
is not enabled in the openssl build provided by Mandriva, but apache
is patched to address this issue anyway (conserns 2008.1 only).
Problem Description:
Multiple vulnerabilities has been found and corrected in apache:
Integer overflow in the ap_pregsub function in server/util.c in the
Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21,
when the mod_setenvif module is enabled, allows local users to gain
privileges via a .htaccess file with a crafted SetEnvIf directive,
in conjunction with a crafted HTTP request header, leading to a
heap-based buffer overflow (CVE-2011-3607).
SOS-10-002
Release Date. 5-Mar-2010
Last Update. -
Vendor Notification Date. 9-Feb-2010
Product. Apache HTTP Server
Platform. Microsoft Windows
Affected versions. 2.2.14 verified and
possibly others.
Severity Rating. High
Impact. System access
Multiple vulnerabilities has been found and corrected in apache:
Memory leak in the zlib_stateful_init function in crypto/comp/c_zlib.c
in libssl in OpenSSL 0.9.8f through 0.9.8h allows remote attackers to
cause a denial of service (memory consumption) via multiple calls, as
demonstrated by initial SSL client handshakes to the Apache HTTP Server
mod_ssl that specify a compression algorithm (CVE-2008-1678). Note
that this security issue does not really apply as zlib compression
is not enabled in the openssl build provided by Mandriva, but apache
is patched to address this issue anyway (conserns 2008.1 only).
So what you're saying is that .htaccess is working as expected. What
does this have to do with SMForum? Using .htaccess to protect the admin
section is not at all standard in SMForum, so I'm not really sure how or
why this is relevant. Furthermore, SMForum still has its own
authentication mechanisms. This doesn't seem like a bug/issue at all,
just software working as intended, even if someone chooses to use it in
an unusual and insecure manner.
- mdh
h3llcode@hotmail.it wrote:
> [...]
>> Using PHP 5.2.6, as a Apache module can bypass many security points.
>
> Am I right that this vulnerability exists only in the Apache 1.x flavour
> of the PHP module? The code in question that sets SG(server_context)
> too late and initializes BG variable after the .htaccess processing
> exists only in sapi/apache/mod_php5.c. For Apache 2.x module the
> handler is 'php_handler', it lives in apache2{filter,handler}/sapi_apache2.c
> and BG/SG(server_context) are initialized before .htaccess processing.
yes
[...]
> Using PHP 5.2.6, as a Apache module can bypass many security points.
Am I right that this vulnerability exists only in the Apache 1.x flavour
of the PHP module? The code in question that sets SG(server_context)
too late and initializes BG variable after the .htaccess processing
exists only in sapi/apache/mod_php5.c. For Apache 2.x module the
handler is 'php_handler', it lives in apache2{filter,handler}/sapi_apache2.c
and BG/SG(server_context) are initialized before .htaccess processing.
And to clarify a bit the overall picture: am I right that the purpose of
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0023
Description:
Previous versions of apr-util contain a vulnerability which can allow
remote attackers to crash an Apache HTTP Server by triggering a
heap-based buffer underflow. This vulnerability only exists when
.htaccess files are used, or when a module linked to libaprutil is used.
http://wiki.rpath.com/Advisories:rPSA-2009-0144
125| }
126| }
As you can see there is no protection against PHP chars
(like strip_tags()) before inserting user's data into
the php file. But the author of the script add a ".htaccess"
file in the "config" directory. Let's see the content of
this file:
1| IndexIgnore *
2|
echo "[+] Start...\n";
$bypfile=fopen('php.ini','w+');
$stuffile=fopen('.htaccess','w+');
if($bypfile and $stuffile!= NULL){
echo "[+] evil files created succes ! \n";
}
CVE Id(s) : CVE-2009-1195
It was discovered that the Apache web server did not properly handle
the "Options=" parameter to the AllowOverride directive:
In the stable distribution (lenny), local users could (via .htaccess)
enable script execution in Server Side Includes even in configurations
where the AllowOverride directive contained only
Options=IncludesNoEXEC.
In the oldstable distribution (etch), local users could (via
Two vulnerabilities in ModSecurity might lead to a Denial of Service.
Background
==========
ModSecurity is a popular web application firewall for the Apache HTTP
server.
Affected packages
=================
Internet Explorer's autodetection of UTF-7 clearly violates this
specification, introducing the opportunity for myriad similar attacks.
These are literally everywhere on the web today, we can trust the kids
to continue to explore this vector until it is fixed by Microsoft.
There are several workarounds in Apache HTTP Server to dodge this particular
vulnerability on your own sites, including
AddDefaultCharset ISO-8859-1
and by enabling multilanguage error docs (each translation with an explicit
To use the first, we need create some file with long filename e.g.
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
then create .htaccess with 'AddDescription'
AddDescription "fnmatch DoS" *?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*
Result:
www-data 1816 2.2 0.3 419048 9844 ? R 18:39 5:39 /usr/sbin/apache2 -k start
William A. Rowe, Jr. wrote:
> With respect to http://www.securityfocus.com/bid/29112
>
> All releases after Jan 2 include fixes across the board to add an explicit
> charset iso-8859-1 to the built in Apache HTTP modules to compensate for
> Microsoft's vulnerability, including released versions 2.2.8, 2.0.63, and
> 1.3.41. This does not affect third party modules you may be loading,
> applications hosted-on or proxied-through HTTP Server, etc.
Having reviewed the vulnerability history again, those versions corrected
PR07-37: XSS on Apache HTTP Server 413 error pages via malformed HTTP method
Vulnerability found: 7 November 2007
Vendor contacted: 14 November 2007
Risk factor: N/A
The reason why we didn't consider this vulnerability a security risk is because the attacker needs to force the victim's browser to submit a malformed HTTP method.
+--> Exploiting The Local File Inclusion (LFI)
For the 'rss.php', you can select local file relative path from the
'modules' directory using 'module' GET
parameter. For example following URI can be used for inspecting the
'.htaccess' file:
http://target.com/rss.php?module=../.htaccess%00
For the 'index.php', you can select local file relative path from the
'system/ajax' directory using 'ajax' GET
parameter. For example following URI can be used for inspecting the
'.htaccess' file:
Next Page>>
|
