Apache HTTP Server AllowOverride选项安全绕道

软件:Apache 2.2.x
描述:
一个安全问题已经在Apache HTTP服务器,可以利用此漏洞,本地用户绕过某些安全限制。

安全问题引起的错误时,处理“ AllowOverride ”的指示和某些“Options”论据“ . htaccess”文件,它可以被利用来如执行命令通过服务器端程序包含。

详细描述:

Description of problem:

In an httpd.conf fragment like:

<Directory …somepath…>
  AllowOverride … Options=IncludesNoEXEC
</Directory>

that appears to limit what Options can be set in .htaccess to just
IncludeNoexec, but in fact Options Includes is also allowed.  I assume that
this is an upstream bug but I’ve not checked if any RH patches touch this part
of the code.

Version-Release number of selected component (if applicable):

httpd-2.2.3-22.el5

How reproducible:

100%

Steps to Reproduce:
1. Add a <directory> which permits AllowOverride Options=IncludesNoEXEC
2. create a .htaccess in there and use Options Includes
3. access a file using ssi with #exec

Actual results:

the #exec is executed

Expected results:

includesnoexec only should be allowed ie no exec or cgi.

Additional info:

In the httpd source (as patched by the srpm etc), in server/core.c at about
line 1288 we have the definition of set_allow_opts() which contains:


        else if (!strcasecmp(w, "Includes")) {
            opt = OPT_INCLUDES;
        }
        else if (!strcasecmp(w, "IncludesNOEXEC")) {
            opt = (OPT_INCLUDES | OPT_INCNOEXEC);
        }

I think that should probably be:


        else if (!strcasecmp(w, "Includes")) {
            opt = (OPT_INCLUDES | OPT_INCNOEXEC);
        }
        else if (!strcasecmp(w, "IncludesNOEXEC")) {
            opt = OPT_INCNOEXEC;
        }

解决方案:
固定在SVN库。
http://svn.apache.org/viewvc?view=rev&revision=772997