| VID |
22123 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The Apache web server has a directory traversal vulnerability.
Apache is a powerful, full-featured, efficient, and freely-available Web server. Apache version 2.0.39 and prior for Windows systems can allow a remote attacker to view arbitrary files outside the web root, and also to execute arbitrary commands on the same partition as the web server's root.
The problem is in the filtering of malformed characters sent by the user. In this case the backslash character ('\' == %5c) is not filtered out, allowing an attacker to access directories outside the normally bounding HTTP root directory. This vulnerability is even more severe by the fact that by prefixing the directory with a /cgi-bin/ an attacker can cause the execution of the file the attacker is requesting.
Examples:
The following will view the file winnt\win.ini:
http://127.0.0.1/error/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwinnt%5cwin.ini
The following will execute the "wintty" utility found in the Apache2/bin folder:
http://127.0.0.1/cgi-bin/%5c%2e%2e%5cbin%5cwintty.exe?%2dt+HELLO
Platforms Affected:
* Apache web server version 2.0.39 and previous 2.0.x (Windows/Netware/OS2)
* References:
http://httpd.apache.org/info/security_bulletin_20020908a.txt
http://www.securiteam.com/windowsntfocus/5ZP0C2A80Y.html |
| Recommendation |
As a workaround, add in the httpd.conf file the following directive to the global server configuration, before the first 'Alias' or 'Redirect' directive:
RedirectMatch 400 "\\\.\."
-- OR --
Upgrade to Apache 2.0.40 or later from Apache website: http://httpd.apache.org |
| Related URL |
CVE-2002-0661 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
