COMMAND
httpd
SYSTEMS AFFECTED
Systems running Apache 1.1.1
PROBLEM
Two security problems have been noticed in the Apache 1.1.1 code
base:
1) A hole in mod_cookies which allows outside users to attempt to
scribble the memory stack used by Apache, which could lead to
the granting of shell access to an outsider as the same user
the httpd children are. Mod_cookies is *not* compiled into
the server by default - if you did not uncomment the
mod_cookies line in your Configuration, you are not at risk
from this hole.
2) mod_dir contains a bug whereby carefully crafted URL's can
cause a search for an "index.html" in a directory to fail,
even when one exists, thereby bypassing index.html and
providing an index of files in a directory. If you do not
allow "Indexes" as an argument to "Options" (the "All"
argument includes "Indexes", too) you are not at risk from
this hole.
Credit for this goes to brian@organic.com, BugTraq and Apache.
SOLUTION
Apache strongly recommend users of Apache 1.1.1 do _one_ of the
following:
1) Download a copy of 1.1.2 from http://www.apache.org/dist/,
compile and install it.
2) Apply the patches below to their 1.1.1 installations
3) Discontinue use of the cookie module and turn "indexes" off.
4) Upgrade to a beta of 1.2
How to use the attached patches
Attached to this message are two patches. Save them into your
"src" subdirectory of your Apache installation, and then do the
following:
patch < mod_cookies_security.patch
patch < directoryindex_security.patch
make
You should then have a new "httpd" executable.
How to turn off the features
With the following changes you should not need to modify the
1.1.1 code.
1) Recompile the server without mod_cookies.c. If you're running
the default set of modules, this is already left out.
2) Turn off directory indexing by making sure none of your
"Options" directives say either "Indexes" or "All".
---559023410-1254324197-853117123=:29978
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII;
NAME="mod_cookies_security.patch"
Content-Transfer-Encoding: BASE64
Content-ID:
Content-Description:
RnJvbTogQWxmcmVkIEh1Z2VyIDxhaHVnZXJAc2VjbmV0LmNvbT4NCkRhdGU6
IEZyaSwgMTAgSmFuIDE5OTcgMjE6NDQ6MDggLTA3MDAgKE1TVCkNCg0KDQpU
aGlzIHBhdGNoIGNsb3NlcyBhIGhvbGUgaW4gbW9kX2Nvb2tpZXMuYyB3aGlj
aCBhbGxvd3MgZm9yIG1hbGljaW91cw0Kb3V0c2lkZSB1c2VycyB0byBzY3Jp
YmJsZSBvdmVyIEFwYWNoZSdzIG1lbW9yeSBzdGFjaywgcG9zc2libHkNCmFs
bG93aW5nIHRoZW0gdG8gZ2FpbiBhY2Nlc3MgdG8gdGhlIHNoZWxsIGFzIHRo
ZSB1c2VyIHRoZSBBcGFjaGUNCmNoaWxkcmVuIHJ1biBhcy4NCg0KTWFueSB0
aGFua3MgdG8gU2VjdXJlIE5ldHdvcmtzIEluYy4gZm9yIGFkdmlzaW5nIHVz
IG9mIHRoaXMgaG9sZSBhbmQNCnByb3ZpZGluZyBhIHBhdGNoLiAgVGhlIGFk
dmlzb3J5IGZvciB0aGlzIGhvbGUgY2FuIGJlIGZvdW5kIGF0IA0KDQogIGZ0
cDovL2Z0cC5zZWNuZXQuY29tL3B1Yi9hZHZpc29yaWVzL0FQQUNIRV9NT0Qu
YWR2aXNvcnkuMS4xMy45Nw0KDQoqKiogLi4vLi4vLi4vLi4vd29yay9hcGFj
aGVfMS4xLjIvc3JjL21vZF9jb29raWVzLmMJU2F0IEphbiAxMSAyMzozMjoz
OSAxOTk3DQotLS0gbW9kX2Nvb2tpZXMuYwlTdW4gSmFuIDEyIDA2OjAwOjI2
IDE5OTcNCioqKioqKioqKioqKioqKg0KKioqIDEsNiAqKioqDQogIA0KICAv
KiA9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09
PT09PT09PT09PT09PT09PT09PT09PT09PQ0KISAgKiBDb3B5cmlnaHQgKGMp
IDE5OTUsIDE5OTYgVGhlIEFwYWNoZSBHcm91cC4gIEFsbCByaWdodHMgcmVz
ZXJ2ZWQuDQogICAqDQogICAqIFJlZGlzdHJpYnV0aW9uIGFuZCB1c2UgaW4g
c291cmNlIGFuZCBiaW5hcnkgZm9ybXMsIHdpdGggb3Igd2l0aG91dA0KICAg
KiBtb2RpZmljYXRpb24sIGFyZSBwZXJtaXR0ZWQgcHJvdmlkZWQgdGhhdCB0
aGUgZm9sbG93aW5nIGNvbmRpdGlvbnMNCi0tLSAxLDYgLS0tLQ0KICANCiAg
LyogPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09
PT09PT09PT09PT09PT09PT09PT09PT09PT0NCiEgICogQ29weXJpZ2h0IChj
KSAxOTk1LTE5OTcgVGhlIEFwYWNoZSBHcm91cC4gIEFsbCByaWdodHMgcmVz
ZXJ2ZWQuDQogICAqDQogICAqIFJlZGlzdHJpYnV0aW9uIGFuZCB1c2UgaW4g
c291cmNlIGFuZCBiaW5hcnkgZm9ybXMsIHdpdGggb3Igd2l0aG91dA0KICAg
KiBtb2RpZmljYXRpb24sIGFyZSBwZXJtaXR0ZWQgcHJvdmlkZWQgdGhhdCB0
aGUgZm9sbG93aW5nIGNvbmRpdGlvbnMNCioqKioqKioqKioqKioqKg0KKioq
IDExOSwxMjUgKioqKg0KICB2b2lkIG1ha2VfY29va2llKHJlcXVlc3RfcmVj
ICpyKQ0KICB7DQogICAgICBzdHJ1Y3QgdGltZXZhbCB0djsNCiEgICAgIGNo
YXIgbmV3X2Nvb2tpZVsxMDBdOwkvKiBibHVyZ2ggKi8NCiAgICAgIGNoYXIg
KmRvdDsNCiAgICAgIGNvbnN0IGNoYXIgKnJuYW1lID0gcHN0cmR1cChyLT5w
b29sLCANCiAgCQkJCWdldF9yZW1vdGVfaG9zdChyLT5jb25uZWN0aW9uLCBy
LT5wZXJfZGlyX2NvbmZpZywNCi0tLSAxMTksMTI1IC0tLS0NCiAgdm9pZCBt
YWtlX2Nvb2tpZShyZXF1ZXN0X3JlYyAqcikNCiAgew0KICAgICAgc3RydWN0
IHRpbWV2YWwgdHY7DQohICAgICBjaGFyIG5ld19jb29raWVbMTAyNF07CS8q
IGJsdXJnaCAqLw0KICAgICAgY2hhciAqZG90Ow0KICAgICAgY29uc3QgY2hh
ciAqcm5hbWUgPSBwc3RyZHVwKHItPnBvb2wsIA0KICAJCQkJZ2V0X3JlbW90
ZV9ob3N0KHItPmNvbm5lY3Rpb24sIHItPnBlcl9kaXJfY29uZmlnLA0KKioq
KioqKioqKioqKioqDQoqKiogMTI4LDEzMyAqKioqDQotLS0gMTI4LDEzNiAt
LS0tDQogICAgICBzdHJ1Y3QgdGltZXpvbmUgdHogPSB7IDAgLCAwIH07DQog
IA0KICAgICAgaWYgKChkb3QgPSBzdHJjaHIocm5hbWUsJy4nKSkpICpkb3Q9
J1wwJzsJLyogRmlyc3QgYml0IG9mIGhvc3RuYW1lICovDQorICAgICBpZiAo
c3RybGVuIChybmFtZSkgPiAyNTUpDQorICAgICAgIHJuYW1lWzI1Nl0gPSAw
Ow0KKyANCiAgICAgIGdldHRpbWVvZmRheSgmdHYsICZ0eik7DQogICAgICBz
cHJpbnRmKG5ld19jb29raWUsIiVzJXMlZCVsZCVkOyBwYXRoPS8iLA0KICAg
ICAgICAgIENPT0tJRV9OQU1FLCBybmFtZSwNCg==
---559023410-1254324197-853117123=:29978
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII;
NAME="directoryindex_security.patch"
Content-Transfer-Encoding: BASE64
Content-ID:
Content-Description:
RnJvbTogTWFyYyBTbGVta28gPG1hcmNzQHpuZXAuY29tPg0KRGF0ZTogU2F0
LCAxMSBKYW4gMTk5Nw0KDQoNClRoaXMgcGF0Y2ggZml4ZXMgYSBwcm9ibGVt
IGluIEFwYWNoZSB3aGVyZWJ5IGNhcmVmdWxseSBjcmFmdGVkIFVSTCdzDQpj
b3VsZCBjYXVzZSBhbiBlcnJvciBmb3IgdGhlIHNlYXJjaCBmb3IgYW4gaW5k
ZXguaHRtbCBpbiBhIHBhcnRpY3VsYXINCmRpcmVjdG9yeSwgdGh1cyBwb3Nz
aWJseSBieXBhc3NpbmcgdGhlIGZpbGUgYW5kIHJldHVybmluZyBhbiBpbmRl
eCBvZg0KYWxsIGNvbnRlbnQgaW4gdGhlIGRpcmVjdG9yeS4gIFRoaXMgcGF0
Y2ggZml4ZXMgaXQgYnkgZGlzdGluZ3Vpc2hpbmcNCmJldHdlZW4gZGlmZmVy
ZW50IGVycm9yIGNvZGVzIHJldHVybmVkIGJ5IGEgZmFpbGVkIHN0YXQoKSBj
YWxsLg0KDQoNCg0KKioqIC4uLy4uLy4uLy4uL3dvcmsvYXBhY2hlXzEuMS4y
L3NyYy9tb2RfZGlyLmMJU2F0IEphbiAxMSAyMzozMjozOSAxOTk3DQotLS0g
bW9kX2Rpci5jCVN1biBKYW4gMTIgMDY6MDA6MjcgMTk5Nw0KKioqKioqKioq
KioqKioqDQoqKiogNzY4LDc3MyAqKioqDQotLS0gNzY4LDc3NCAtLS0tDQog
ICAgICAgIChkaXJfY29uZmlnX3JlYyAqKWdldF9tb2R1bGVfY29uZmlnIChy
LT5wZXJfZGlyX2NvbmZpZywgJmRpcl9tb2R1bGUpOw0KICAgICAgY2hhciAq
bmFtZXNfcHRyID0gZC0+aW5kZXhfbmFtZXMgPyBkLT5pbmRleF9uYW1lcyA6
IERFRkFVTFRfSU5ERVg7DQogICAgICBpbnQgYWxsb3dfb3B0cyA9IGFsbG93
X29wdGlvbnMgKHIpOw0KKyAgICAgaW50IGVycm9yX25vdGZvdW5kID0gMDsN
CiAgDQogICAgICBpZiAoci0+dXJpWzBdID09ICdcMCcgfHwgci0+dXJpW3N0
cmxlbihyLT51cmkpLTFdICE9ICcvJykgew0KICAJY2hhciogaWZpbGU7DQoq
KioqKioqKioqKioqKioNCioqKiA4MDgsODE2ICoqKioNCiAgCSAgICByZXR1
cm4gT0s7DQogIAl9DQogIA0KISAgICAgICAgIGRlc3Ryb3lfc3ViX3JlcSAo
cnIpOw0KICAgICAgfQ0KICANCiAgICAgIGlmIChyLT5tZXRob2RfbnVtYmVy
ICE9IE1fR0VUKSByZXR1cm4gTk9UX0lNUExFTUVOVEVEOw0KICAgICAgDQog
ICAgICAvKiBPSywgbm90aGluZyBlYXN5LiAgVHJvdCBvdXQgdGhlIGhlYXZ5
IGFydGlsbGVyeS4uLiAqLw0KLS0tIDgwOSw4MzIgLS0tLQ0KICAJICAgIHJl
dHVybiBPSzsNCiAgCX0NCiAgDQohICAgICAgICAvKiBJZiB0aGUgcmVxdWVz
dCByZXR1cm5lZCBzb21ldGhpbmcgb3RoZXIgdGhhbiA0MDQgKG9yIDIwMCks
DQohICAgICAgICAgKiBpdCBtZWFucyB0aGUgbW9kdWxlIGVuY291bnRlcmVk
IHNvbWUgc29ydCBvZiBwcm9ibGVtLiBUbyBiZQ0KISAgICAgICAgICogc2Vj
dXJlLCB3ZSBzaG91bGQgcmV0dXJuIHRoZSBlcnJvciwgcmF0aGVyIHRoYW4g
Y3JlYXRlDQohICAgICAgICAgKiBhbG9uZyBhIChwb3NzaWJseSB1bnNhZmUp
IGRpcmVjdG9yeSBpbmRleC4NCiEgICAgICAgICAqDQohICAgICAgICAgKiBT
byB3ZSBzdG9yZSB0aGUgZXJyb3IsIGFuZCBpZiBub25lIG9mIHRoZSBsaXN0
ZWQgZmlsZXMNCiEgICAgICAgICAqIGV4aXN0LCB3ZSByZXR1cm4gdGhlIGxh
c3QgZXJyb3IgcmVzcG9uc2Ugd2UgZ290LCBpbnN0ZWFkDQohICAgICAgICAg
KiBvZiBhIGRpcmVjdG9yeSBsaXN0aW5nLg0KISAgICAgICAgICovDQohICAg
ICAgICBpZiAocnItPnN0YXR1cyAmJiByci0+c3RhdHVzICE9IDQwNCAmJiBy
ci0+c3RhdHVzICE9IDIwMCkNCiEgICAgICAgICAgICBlcnJvcl9ub3Rmb3Vu
ZCA9IHJyLT5zdGF0dXM7DQohIA0KISAgICAgICAgZGVzdHJveV9zdWJfcmVx
IChycik7DQogICAgICB9DQogIA0KKyAgICAgaWYgKGVycm9yX25vdGZvdW5k
KQ0KKyAgICAgICAgcmV0dXJuIGVycm9yX25vdGZvdW5kOw0KKyAgDQogICAg
ICBpZiAoci0+bWV0aG9kX251bWJlciAhPSBNX0dFVCkgcmV0dXJuIE5PVF9J
TVBMRU1FTlRFRDsNCiAgICAgIA0KICAgICAgLyogT0ssIG5vdGhpbmcgZWFz
eS4gIFRyb3Qgb3V0IHRoZSBoZWF2eSBhcnRpbGxlcnkuLi4gKi8NCioqKiAu
Li8uLi8uLi8uLi93b3JrL2FwYWNoZV8xLjEuMi9zcmMvaHR0cF9yZXF1ZXN0
LmMJU2F0IEphbiAxMSAyMzozMjozOCAxOTk3DQotLS0gaHR0cF9yZXF1ZXN0
LmMJU3VuIEphbiAxMiAwNjowMDoyMiAxOTk3DQoqKioqKioqKioqKioqKioN
CioqKiAxLDYgKioqKg0KICANCiAgLyogPT09PT09PT09PT09PT09PT09PT09
PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09
PT0NCiEgICogQ29weXJpZ2h0IChjKSAxOTk1IFRoZSBBcGFjaGUgR3JvdXAu
ICBBbGwgcmlnaHRzIHJlc2VydmVkLg0KICAgKg0KICAgKiBSZWRpc3RyaWJ1
dGlvbiBhbmQgdXNlIGluIHNvdXJjZSBhbmQgYmluYXJ5IGZvcm1zLCB3aXRo
IG9yIHdpdGhvdXQNCiAgICogbW9kaWZpY2F0aW9uLCBhcmUgcGVybWl0dGVk
IHByb3ZpZGVkIHRoYXQgdGhlIGZvbGxvd2luZyBjb25kaXRpb25zDQotLS0g
MSw2IC0tLS0NCiAgDQogIC8qID09PT09PT09PT09PT09PT09PT09PT09PT09
PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09DQoh
ICAqIENvcHlyaWdodCAoYykgMTk5NS0xOTk3IFRoZSBBcGFjaGUgR3JvdXAu
ICBBbGwgcmlnaHRzIHJlc2VydmVkLg0KICAgKg0KICAgKiBSZWRpc3RyaWJ1
dGlvbiBhbmQgdXNlIGluIHNvdXJjZSBhbmQgYmluYXJ5IGZvcm1zLCB3aXRo
IG9yIHdpdGhvdXQNCiAgICogbW9kaWZpY2F0aW9uLCBhcmUgcGVybWl0dGVk
IHByb3ZpZGVkIHRoYXQgdGhlIGZvbGxvd2luZyBjb25kaXRpb25zDQoqKioq
KioqKioqKioqKioNCioqKiAxMzksMTQ1ICoqKioNCiAgLyogRGVhbGluZyB3
aXRoIHRoZSBmaWxlIHN5c3RlbSB0byBnZXQgUEFUSF9JTkZPDQogICAqLw0K
ICANCiEgdm9pZCBnZXRfcGF0aF9pbmZvKHJlcXVlc3RfcmVjICpyKQ0KICB7
DQogICAgICBjaGFyICpjcDsNCiAgICAgIGNoYXIgKnBhdGggPSByLT5maWxl
bmFtZTsNCi0tLSAxMzksMTQ1IC0tLS0NCiAgLyogRGVhbGluZyB3aXRoIHRo
ZSBmaWxlIHN5c3RlbSB0byBnZXQgUEFUSF9JTkZPDQogICAqLw0KICANCiEg
aW50IGdldF9wYXRoX2luZm8ocmVxdWVzdF9yZWMgKnIpDQogIHsNCiAgICAg
IGNoYXIgKmNwOw0KICAgICAgY2hhciAqcGF0aCA9IHItPmZpbGVuYW1lOw0K
KioqKioqKioqKioqKioqDQoqKiogMTU3LDE2MyAqKioqDQotLS0gMTU3LDE2
NiAtLS0tDQogIAkvKiBTZWUgaWYgdGhlIHBhdGhuYW1lIGVuZGluZyBoZXJl
IGV4aXN0cy4uLiAqLw0KICAgICAgICANCiAgCSpjcCA9ICdcMCc7DQorIA0K
KyAJZXJybm8gPSAwOw0KICAJcnYgPSBzdGF0KHBhdGgsICZyLT5maW5mbyk7
DQorIA0KICAJaWYgKGNwICE9IGVuZCkgKmNwID0gJy8nOw0KICAgICAgICAN
CiAgCWlmICghcnYpIHsNCioqKioqKioqKioqKioqKg0KKioqIDE3NCwxODIg
KioqKg0KICAJDQogIAkgICAgci0+cGF0aF9pbmZvID0gcHN0cmR1cCAoci0+
cG9vbCwgY3ApOw0KICAJICAgICpjcCA9ICdcMCc7DQohIAkgICAgcmV0dXJu
Ow0KICAJfQ0KICAJZWxzZSB7DQogIAkgICAgbGFzdF9jcCA9IGNwOw0KICAJ
DQogIAkgICAgd2hpbGUgKC0tY3AgPiBwYXRoICYmICpjcCAhPSAnLycpDQot
LS0gMTc3LDE5MiAtLS0tDQogIAkNCiAgCSAgICByLT5wYXRoX2luZm8gPSBw
c3RyZHVwIChyLT5wb29sLCBjcCk7DQogIAkgICAgKmNwID0gJ1wwJzsNCiEg
CSAgICByZXR1cm4gT0s7DQogIAl9DQorICNpZiBkZWZpbmVkKEVOT0VOVCkN
CisgCWVsc2UgaWYgKGVycm5vID09IEVOT0VOVCkgew0KKyAjZWxzZQ0KKyAg
ICNlcnJvciBZb3VyIHN5c3RlbSBhcHBhcmVudGx5IGRvZXMgbm90IGRlZmlu
ZSBFTk9FTlQuDQorICAgI2Vycm9yIFJlbW92YWwgb2YgdGhlc2UgbGluZXMg
b3BlbnMgYSBzZWN1cml0eSBob2xlIGlmIHByb3RlY3RpbmcNCisgICAjZXJy
b3IgZnJvbSBkaXJlY3RvcnkgaW5kZXhlcyB3aXRoIERpcmVjdG9yeUluZGV4
Lg0KICAJZWxzZSB7DQorICNlbmRpZg0KICAJICAgIGxhc3RfY3AgPSBjcDsN
CiAgCQ0KICAJICAgIHdoaWxlICgtLWNwID4gcGF0aCAmJiAqY3AgIT0gJy8n
KQ0KKioqKioqKioqKioqKioqDQoqKiogMTg0LDE5MSAqKioqDQotLS0gMTk0
LDIwOSAtLS0tDQogIA0KICAJICAgIHdoaWxlIChjcCA+IHBhdGggJiYgY3Bb
LTFdID09ICcvJykNCiAgCQktLWNwOw0KKyAJfSANCisgI2lmIGRlZmluZWQo
RU5PRU5UKQ0KKyAJZWxzZSB7DQorIAkgICAgbG9nX3ByaW50ZihyLT5zZXJ2
ZXIsICJhY2Nlc3MgdG8gJXMgZmFpbGVkIGZvciBjbGllbnQ7IHVuYWJsZSB0
byBkZXRlcm1pbmUgaWYgaW5kZXggZmlsZSBleGlzdHMgKHN0YXQoKSByZXR1
cm5lZCB1bmV4cGVjdGVkIGVycm9yKSIsIHItPmZpbGVuYW1lKTsNCisgCSAg
ICByZXR1cm4gRk9SQklEREVOOw0KICAJfQ0KKyAjZW5kaWYNCiAgICAgIH0N
CisgDQorICAgICByZXR1cm4gT0s7DQogIH0NCiAgDQogIGludCBkaXJlY3Rv
cnlfd2FsayAocmVxdWVzdF9yZWMgKnIpDQoqKioqKioqKioqKioqKioNCioq
KiAyNjEsMjY3ICoqKioNCiAgDQogICAgICBubzJzbGFzaCAodGVzdF9maWxl
bmFtZSk7DQogICAgICBudW1fZGlycyA9IGNvdW50X2RpcnModGVzdF9maWxl
bmFtZSk7DQohICAgICBnZXRfcGF0aF9pbmZvIChyKTsNCiAgICAgIA0KICAg
ICAgaWYgKFNfSVNESVIgKHItPmZpbmZvLnN0X21vZGUpKSArK251bV9kaXJz
Ow0KICANCi0tLSAyNzksMjg4IC0tLS0NCiAgDQogICAgICBubzJzbGFzaCAo
dGVzdF9maWxlbmFtZSk7DQogICAgICBudW1fZGlycyA9IGNvdW50X2RpcnMo
dGVzdF9maWxlbmFtZSk7DQohICAgICByZXMgPSBnZXRfcGF0aF9pbmZvIChy
KTsNCiEgICAgIGlmIChyZXMgIT0gT0spIHsNCiEgCXJldHVybiByZXM7DQoh
ICAgICB9DQogICAgICANCiAgICAgIGlmIChTX0lTRElSIChyLT5maW5mby5z
dF9tb2RlKSkgKytudW1fZGlyczsNCiAgDQo=
---559023410-1254324197-853117123=:29978--