Date: Thu, 16 Apr 2015 10:08:54 +0200 From: Martin Prpic <mprpic@...hat.com> To: "oss-security\@...ts.openwall.com" <oss-security@...ts.openwall.com> Subject: Potential CVE request: flaw in comment handling Hi, we were notified of a flaw in the way Apache's mod_access_compat and mod_authz_host handled comments in configuration files. When a comment was defined on the same line that contained an "Allow" directive, any potential IP ranges in that comment were also allowed to access a resource. This flaw was fixed in: https://github.com/apache/httpd/commit/5e1affc271a429f267198eee61fce2b209a83c66 The docs do specify that comments are not allowed on the same line: "There must be no other characters or white space between the backslash and the end of the line." [https://httpd.apache.org/docs/2.2/configuring.html#syntax] MITRE, does this qualify for a CVE? Reproducer: $ sudo yum -y install httpd $ echo hest123 | sudo tee /var/www/html/secret.txt $ echo '<Location "/secret.txt"> > Order allow,deny > Allow from 127.0.0.1 # not 10 > </Location>' | sudo tee -a /etc/httpd/conf/httpd.conf sudo service httpd restart client on 10.x.x.x: $ HEAD servername.com/secret.txt 200 OK The security implications of this flaw were discovered by Espen Fjellvaer Olsen from Basefarm AS. -- Martin Prpič / Red Hat Product Security
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ