![Apache Today [Your Apache News Source]](/pics/at_logo.png) 
 
| The Apache Software Foundation |
| Apache XML Project |
| The Jakarta Project |
| Apache Project |
| The Apache FAQ |
| PHP Server Side Scripting |
| Apache-Perl Integration Project |
| The Java Apache Project |
| Apache Module Registry |
| Apache-Related Projects |
| ApacheCon |
|
| Linuxnewbie.org |
|
Apache Today
|
| Enterprise Linux Today |
| BSD Today |
| Linux Central |
| Linux Planet |
| Linux Start |
| Just Linux |
| PHPBuilder |
| Linux Apps |
| Linux Programming |
| Linux Today |
| All Linux Devices |
| BSD Central |
| SITE DESCRIPTIONS |
|
|
EnGarde Linux advisory: Apache directory listing vulnerability
Jun 21, 2001, 21 :19 UTC (1 Talkback[s]) (3007 reads) |
+------------------------------------------------------------------------+
| EnGarde Secure Linux Security Advisory June 20, 2001 |
| http://www.engardelinux.org/ ESA-20010620-02 |
| |
| Package: apache |
| Summary: An attacker can bypass index files and retrieve a directory |
| listing. |
+------------------------------------------------------------------------+
EnGarde Secure Linux is a secure distribution of Linux that features
improved access control, host and network intrusion detection, Web
based secure remote management, complete e-commerce using AllCommerce,
and integrated open source security tools.
OVERVIEW
- --------
There is a vulnerability in apache by which an attacker can get a
directory listing even when an index file (such as index.html) is
present.
DETAIL
- ------
By sending apache a very long path containing slashes, an attacker can
trick mod_negotiation and mod_dir/mod_autoindex into displaying a
directory listing. This was fixed in apache version 1.3.18 (which was
an internal release not made available to the public). This updated
package will now return a 403 (FORBIDDEN) when such a request is made.
SOLUTION
- --------
All users should upgrade to the most recent version, as outlined in
this advisory. All updates can be found at:
ftp://ftp.engardelinux.org/pub/engarde/stable/updates/
http://ftp.engardelinux.org/pub/engarde/stable/updates/
http://ftp.ibiblio.org/pub/linux/distributions/engarde/stable/updates/
Before upgrading the package, the machine must either:
a) be booted into a "standard" kernel; or
b) have LIDS disabled.
To disable LIDS, execute the command:
# /sbin/lidsadm -S -- -LIDS_GLOBAL
To install the updated package, execute the command:
# rpm -Uvh
Once the updated package is installed, you need to restart it:
# /etc/init.d/httpd restart
To re-enable LIDS (if it was disabled), execute the command:
# /sbin/lidsadm -S -- +LIDS_GLOBAL
To verify the signature of the updated packages, execute the command:
# rpm -Kv
UPDATED PACKAGES
- ----------------
These updated packages are for EnGarde Secure Linux 1.0.1 (Finestra).
Source Packages:
SRPMS/apache-1.3.20-1.0.25.src.rpm
MD5 Sum: 23e58c358deef336067d165b51ed7b3d
Binary Packages:
i386/apache-1.3.20-1.0.25.i386.rpm
MD5 Sum: 084e9b7630af62f540e539e7a66af559
i686/apache-1.3.20-1.0.25.i686.rpm
MD5 Sum: aab4dc51aca297660eee675a56fc506b
REFERENCES
- ----------
Guardian Digital's public key:
http://ftp.engardelinux.org/pub/engarde/ENGARDE-GPG-KEY
Credit for the discovery of this bug goes to:
Martin Kraemer
Apache's Official Web Site:
http://httpd.apache.org/
Apache's Changelog:
http://httpd.apache.org/dist/httpd/CHANGES_1.3
- --------------------------------------------------------------------------
$Id: ESA-20010620-02-apache,v 1.3 2001/06/20 18:51:29 rwm Exp $
- --------------------------------------------------------------------------
Author: Ryan W. Maple,
Copyright 2001, Guardian Digital, Inc.
|
|
