SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#439395

Apache web server performs case sensitive filtering on Mac OS X HFS+ case insensitive filesystem

Overview

The Apache (1.3.14) web server's file access protection scheme can be bypassed for the Mac OS X HFS+ filesystem.

I. Description

The Apache web server's file access protection scheme (i.e., file request "filtering") assumes that the filesystem being protected is case sensitve. For example, in a case sensitive file system, such as UFS (the UNIX file system), the file name "ANY_file" and "any_FILE" refer to different files. The Mac's HFS+ filesystem is case insensitve (e.g., the names "ANY_file", "any_FILE", and "any_file" all refer to the same file) . Under the Apache file access protection scheme you specify the directory (e.g., /ANY_directory) or filename (e.g., "/ANY_directory/ANY_file") to be protected, but only directories or pathnames matchings the exact case you specify will be protected.

Under the Apache scheme, you specify whether to deny or allow access to a filesystem object (which can be a directory, filename, or URL). The specifications are called "directives", which include <Directory>, <Files> and <Location> directives. See http://httpd.apache.org/docs/mod/core.html#directory for further information on directives. When you use a directive to deny access to a file or directory using the Apache web server under Mac OS X HFS+, the directive will NOT deny access to any other upper and lover case variation on the filename or directory.

II. Impact

Can bypass Apache file access protection, allowing remote unprivileged users to read privileged files.

III. Solution

Solution 1 - By default, Apache will allow access to any file mapped from a URL You should change the default to deny all access, and then use directives to override and allow access for only those directories and files that you want to be readable. Use regular expressions with directives such as <FilesMatch> and <DirectoryMatch> to cover upper and lover case variations. Be sure to thoroughly test your directives to ensure that Apache is properly allowing or denying access. The follwing advice is from the Apache web site (http://httpd.apache.org/docs/mod/core.html#directory):


Note that the default Apache access for <Directory /> is Allow from All. This means that Apache will serve any file mapped from an URL. It is recommended that you change this with a block such as

<Directory />
    Order Deny,Allow
    Deny from All
</Directory>

and then override this for directories you want accessible. See the Security Tips (http://httpd.apache.org/docs/misc/security_tips.html) page for more details.


Solution 2 - At least a partial fix (a shared object file "mod_hfs_apple.so") is available on the Apple web site as part of thr Web Sharing version 1.0 released on 7-23-2001 -- http://www.apple.com/downloads/macosx/apple/websharingupdate.html . This update fixes the problem when you specify protected directories (using the <Directory> and <Location> directives), but the fix may not work when you specify individual file names to be protected (using the <Files> directive. (See the 13-July-2001 message from Jacques Distler on the following web page: http://www.macintouch.com/mosxreaderreports43.html.) To overcome the case problem for individual filenames, you need to use the <FilesMatch> directive, and specify the filename using regular expressions that cover all upper and lower case variations. Even after applying this patch, it is recommended that you set the Apache default to deny all access, as described in solution 1 above.

Solution 3 - Use the UFS (Unix File System) instead of HFS+. UFS is case sensitive, so everything works as expected. Even if you use UFS, we still recommended that you set the Apache default to deny all access, as described in solution 1 above.

Systems Affected

VendorStatusDate NotifiedDate Updated
Apache Software FoundationVulnerable28-Sep-2001
Apple Computer Inc.Vulnerable28-Sep-2001

References

http://www.securityfocus.com/bid/2852
http://www.apple.com/downloads/macosx/apple/websharingupdate.html
http://www.macintouch.com/mosxreaderreports43
http://www.securityfocus.com/bid/3316
http://httpd.apache.org/docs/mod/core.html#directory
http://httpd.apache.org/docs/misc/security_tips.html

Credit

This vulnerability was initially posted to the bugtraq mailing list (bugtraq ID 2852) by Stefan Arentz.

This document was written by Howard Lipson.

Other Information

Date Public:2001-06-10
Date First Published:2001-09-28
Date Last Updated:2003-06-02
CERT Advisory: 
CVE-ID(s):CAN-2001-0766
NVD-ID(s):CAN-2001-0766
US-CERT Technical Alerts: 
Metric:3.60
Document Revision:53

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2001 Carnegie Mellon University
Disclaimers and copyright information
Get a PDF Reader