Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 16 Apr 2015 10:08:54 +0200
From: Martin Prpic <mprpic@...hat.com>
To: "oss-security\@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: Potential CVE request: flaw in comment handling 

Hi, we were notified of a flaw in the way Apache's mod_access_compat and
mod_authz_host handled comments in configuration files. When a comment
was defined on the same line that contained an "Allow" directive,
any potential IP ranges in that comment were also allowed to access
a resource.

This flaw was fixed in:

https://github.com/apache/httpd/commit/5e1affc271a429f267198eee61fce2b209a83c66

The docs do specify that comments are not allowed on the same line:

"There must be no other characters or white space between the backslash and the end of the line."
[https://httpd.apache.org/docs/2.2/configuring.html#syntax]

MITRE, does this qualify for a CVE?


Reproducer:

$ sudo yum -y install httpd

$ echo hest123 | sudo tee /var/www/html/secret.txt

$ echo '<Location "/secret.txt">
> Order allow,deny
> Allow from 127.0.0.1 # not 10
> </Location>' | sudo tee -a /etc/httpd/conf/httpd.conf
sudo service httpd restart

client on 10.x.x.x:
$ HEAD servername.com/secret.txt
200 OK

The security implications of this flaw were discovered by Espen
Fjellvaer Olsen from Basefarm AS.

-- 
Martin Prpič / Red Hat Product Security

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ