Home page logo
/

bugtraq logo Bugtraq mailing list archives

Mac OS X - Apache & Case Insensitive Filesystems
From: Stefan Arentz <stefan.arentz () soze com>
Date: Sun, 10 Jun 2001 19:53:40 +0200

Environment:

  Mac OS X 10.0.3 / Darwin 1.3.3
  Apache 1.3.14

  This is the the default setup, out of the box, with available
  software updates installed. Please note, this is OS X *Client*.

Who is affected:

  Everybody who used Apache on Mac OS X Client with the following
  conditions:

    + Documents are on a HFS+ volume
    + Directory protection is used

Summary:

  The preferred filesystem for Mac OS X is Apple's HFS+ and most
  setups use it. HFS+ is a case insensitive filesystem.

  Apache's directory protection (and other methods that depend on
  filesystem object names) cannot handle this and breaks. For example,
  both Directory and Location configuration options break.

  This is a real security risk because most people do not know this.
  It can easily be used to bypass protected directories.

Description:

  Consider the following file:

    /Library/WebServer/Documents/test/index.html

  And the following configuration:

    <Location /test>
      Order deny,allow
      Deny from all
    </Location>

  Or, using a Directory option:

    <Directory /Library/WebServer/Documents/test>
      Order deny,allow
      Deny from all
    </Directory>

  The following request will result in a 403 Forbidden as excpected:

    GET /test/index.html

  But the following request will happily serve the file:

    GET /TeSt/index.html

Solution:

  Using UFS solves this problem because it is case sensitive and
  it behaves as expected.

  Also, Mac OS X Server ships with a mod_hfs_apple.so Apache
  module that solves this problem. However, the module is only
  available as part of OS X Server, and not available as source
  or part of the Apache distribution.

Preferred solution:

  Modification to Apache so that it does a check for the 'real'
  filename. This probably needs some support from the underlying
  operating system.

  Or Apple should submit their HFS+ patches to the Apache Software
  Foundation or install the mod_hfs_apple.so module on OS X Client.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault