COMMAND

    httpd

SYSTEMS AFFECTED

    IBM HTTP SERVER / APACHE

PROBLEM

    Marek  Roy  found  following.   There  is  a crucial number of "/"
    (forward slash) you can use  to retrieve the contents of  the root
    directory   of   this   particular   Web   Server.    Using   this
    vulnerability, you can retrieve any files or scripts running  from
    that directory and sub-directories.

    The number of "/" used to reproduce this can be different from one
    server to another.  You can get a trial copy at:

        http://www-4.ibm.com/software/webservers/httpservers/download.html#v136

   Vulnerable:

        Server: IBM_HTTP_Server/1.3.6.2 Apache/1.3.7-dev (Win32)

    If you send a GET request of 210 "/", you get the actual Web Page.
    If you send a GET request of 211 "/", you get Index of /.  If  you
    send a GET request of 212 "/", you get:

        Forbidden
        You don't have permission to access
        "/" x 212 on this server.

    Luke Harless verified the bug  using the perl program with  Apache
    1.3.12 (Win32)  binary on  Win98 downloaded  from apache.org.   It
    always takes 235 / to work for him.

    Sample scan script to find / offset:

    #!/usr/bin/perl

    use LWP::Simple;
    use strict;

    my $host = shift() || die "usage:  $ARGV[0] [hostname]";
    my $cnt;
    my $data;
    my $odata;
    my $;

    $odata = get("http://$host/");
    if ($odata eq "")
    {
        die "no response from server:  $host\n";
    }
    for ($i = 2; $i < 4096; $i++)
    {
        print "Trying $i...\n";
        $data = get("http://$host" . ("/" x $i));
        if ($data ne $odata)
        {
            print "/ = $i\n\n$data\n\n";
            exit;
        }
    }

    H D Moore added following.  After he tried:

        GET /DIR/%2e%2f%2e%2e%2e HTTP/1.0

    And  the  server  simple  crashed,  burned,  and stopped accepting
    connections.  Whether the DoS was triggered by the earlier request
    containing the  null character  or the  single %2e%2f  sequence is
    unknown.

    Marc Slemko added following.   There is a bug  in Apache 1.3.x  on
    the Win32 platform.  This does NOT impact Apache running on  Unix.
    This is  NOT particular  to IBM's  product, but  is a  bug in  the
    Apache HTTP  server included  in IBM's  bundle.   This bug  allows
    people  to  get  a  directory  listing  of  a  directory, if it is
    enabled  in  the  config,  even  if  an index file is present that
    would normally be  displayed instead.   While normally this  is of
    little consequence, in some situations this can be problematic.

    What is happening is that when Apache calls stat() to check if the
    index.html (or whatever name  it has) exists, Windows  will return
    an error if the path is too long.  Apache incorrectly treated this
    as  if  the  file  does  not  exist.   The included patch has been
    applied  to  the  Apache  CVS  tree  and  corrects  this  issue by
    correcting an existing pathname  length check.  Different  numbers
    of  '/'s  are  required  based  on  the  length of the path to the
    DocumentRoot.

    This is just speculation, but my guess as to why there is an exact
    number of  '/'s necessary  is that  if the  stat() of  ".htaccess"
    fails in  an unexpected  way, then  the request  will be  refused.
    "index.html" is only one character longer, hence the one character
    window between the stat()  of "index.html" failing and  the stat()
    of ".htaccess" failing.

SOLUTION

    Not Vulnerable:

        Server: IBM_HTTP_Server/1.3.6.2 Apache/1.3.7-dev (Unix)

    Obviously, a temporary workaround is to disable the Indexes option
    (see the docs for the "Option" directive for details).

    There  is  a  rough  plan  to  release  a 1.3.13 version of Apache
    sometime soon, with various  changes including this security  fix,
    however  this  is  subject  to  change.   The patch applied to the
    Apache CVS tree, as shown at

        http://www.apache.org/websrc/cvsweb.cgi/apache-1.3/src/os/win32/util_win32.c.diff?r1=1.33&r2=1.34

    follows:

    RCS file: /home/cvs/apache-1.3/src/os/win32/util_win32.c,v
    retrieving revision 1.33
    retrieving revision 1.34
    diff -u -r1.33 -r1.34
    --- apache-1.3/src/os/win32/util_win32.c	1999/02/18 11:07:14	1.33
    +++ apache-1.3/src/os/win32/util_win32.c	2000/06/02 16:30:27	1.34
    @@ -580,7 +580,7 @@
         };
    
         /* Test 1 */
    -    if (strlen(file) > MAX_PATH) {
    +    if (strlen(file) >= MAX_PATH) {
 	    /* Path too long for Windows. Note that this test is not valid
 	     * if the path starts with //?/ or \\?\. */
 	    return 0;