Apache HTTP Server AllowOverride选项安全绕道

软件:Apache 2.2.x
一个安全问题已经在Apache HTTP服务器,可以利用此漏洞,本地用户绕过某些安全限制。

安全问题引起的错误时,处理“ AllowOverride ”的指示和某些“Options”论据“ . htaccess”文件,它可以被利用来如执行命令通过服务器端程序包含。


Description of problem:

In an httpd.conf fragment like:

<Directory …somepath…>
  AllowOverride … Options=IncludesNoEXEC

that appears to limit what Options can be set in .htaccess to just
IncludeNoexec, but in fact Options Includes is also allowed.  I assume that
this is an upstream bug but I’ve not checked if any RH patches touch this part
of the code.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Add a <directory> which permits AllowOverride Options=IncludesNoEXEC
2. create a .htaccess in there and use Options Includes
3. access a file using ssi with #exec

Actual results:

the #exec is executed

Expected results:

includesnoexec only should be allowed ie no exec or cgi.

Additional info:

In the httpd source (as patched by the srpm etc), in server/core.c at about
line 1288 we have the definition of set_allow_opts() which contains:

        else if (!strcasecmp(w, "Includes")) {
            opt = OPT_INCLUDES;
        else if (!strcasecmp(w, "IncludesNOEXEC")) {
            opt = (OPT_INCLUDES | OPT_INCNOEXEC);

I think that should probably be:

        else if (!strcasecmp(w, "Includes")) {
            opt = (OPT_INCLUDES | OPT_INCNOEXEC);
        else if (!strcasecmp(w, "IncludesNOEXEC")) {
            opt = OPT_INCNOEXEC;