oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Potential CVE request: flaw in comment handling

From: Martin Prpic <mprpic () redhat com>
Date: Thu, 16 Apr 2015 10:08:54 +0200
Hi, we were notified of a flaw in the way Apache's mod_access_compat and
mod_authz_host handled comments in configuration files. When a comment
was defined on the same line that contained an "Allow" directive,
any potential IP ranges in that comment were also allowed to access
a resource.

This flaw was fixed in:

https://github.com/apache/httpd/commit/5e1affc271a429f267198eee61fce2b209a83c66

The docs do specify that comments are not allowed on the same line:

"There must be no other characters or white space between the backslash and the end of the line."
[https://httpd.apache.org/docs/2.2/configuring.html#syntax]

MITRE, does this qualify for a CVE?


Reproducer:

$ sudo yum -y install httpd

$ echo hest123 | sudo tee /var/www/html/secret.txt

$ echo '<Location "/secret.txt">

Order allow,deny
Allow from 127.0.0.1 # not 10
</Location>' | sudo tee -a /etc/httpd/conf/httpd.conf

sudo service httpd restart

client on 10.x.x.x:
$ HEAD servername.com/secret.txt
200 OK

The security implications of this flaw were discovered by Espen
Fjellvaer Olsen from Basefarm AS.

-- 
Martin Prpič / Red Hat Product Security
Previous By Date Next
Previous By Thread Next

Current thread: