软件:Apache 2.2.x
描述:
一个安全问题已经在Apache HTTP服务器,可以利用此漏洞,本地用户绕过某些安全限制。
安全问题引起的错误时,处理“ AllowOverride ”的指示和某些“Options”论据“ . htaccess”文件,它可以被利用来如执行命令通过服务器端程序包含。
详细描述:
Description of problem:
In an httpd.conf fragment like:
<Directory …somepath…>
AllowOverride … Options=IncludesNoEXEC
</Directory>
that appears to limit what Options can be set in .htaccess to just
IncludeNoexec, but in fact Options Includes is also allowed. I assume that
this is an upstream bug but I’ve not checked if any RH patches touch this part
of the code.
Version-Release number of selected component (if applicable):
httpd-2.2.3-22.el5
How reproducible:
100%
Steps to Reproduce:
1. Add a <directory> which permits AllowOverride Options=IncludesNoEXEC
2. create a .htaccess in there and use Options Includes
3. access a file using ssi with #exec
Actual results:
the #exec is executed
Expected results:
includesnoexec only should be allowed ie no exec or cgi.
Additional info:
In the httpd source (as patched by the srpm etc), in server/core.c at about
line 1288 we have the definition of set_allow_opts() which contains:
…
else if (!strcasecmp(w, "Includes")) {
opt = OPT_INCLUDES;
}
else if (!strcasecmp(w, "IncludesNOEXEC")) {
opt = (OPT_INCLUDES | OPT_INCNOEXEC);
}
…
I think that should probably be:
…
else if (!strcasecmp(w, "Includes")) {
opt = (OPT_INCLUDES | OPT_INCNOEXEC);
}
else if (!strcasecmp(w, "IncludesNOEXEC")) {
opt = OPT_INCNOEXEC;
}
…
解决方案:
固定在SVN库。
http://svn.apache.org/viewvc?view=rev&revision=772997
0 条评论。