[Prev][Next][Index][Thread]

Security release: Apache 1.1.2 (fwd)




and these are the two patches I told you about that exist on
http://apache.linux.org.il and my FTP2.linux.org.il

---------- Forwarded message ----------
Date: Sun, 12 Jan 1997 16:58:43 -0800
From: Brian Behlendorf <brian@organic.com>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
Subject: Security release: Apache 1.1.2


Two security problems have been noticed in the Apache 1.1.1 code base:

1) A hole in mod_cookies which allows outside users to attempt to
scribble the memory stack used by Apache, which could lead to the
granting of shell access to an outsider as the same user the httpd
children are.  Mod_cookies is *not* compiled into the server by default -
if you did not uncomment the mod_cookies line in your Configuration, you
are not at risk from this hole.

2) mod_dir contains a bug whereby carefully crafted URL's can cause a
search for an "index.html" in a directory to fail, even when one exists,
thereby bypassing index.html and providing an index of files in a directory.
If you do not allow "Indexes" as an argument to "Options" (the "All"
argument includes "Indexes", too) you are not at risk from this hole.


We are thus releasing an Apache 1.1.2, which contains patches for
these two holes.  The patches are also attached to this message, in a form
suitable for feeding the "patch" program from the "src" directory in the Apache
1.1.1 distribution.  There is also a way to prevent the security holes by
turning off two features, as explained below.

The mod_cookie hole is of a less serious nature in 1.2 betas due to code
changes, but the next beta of 1.2 will include fixes for these two
reported problems.  The next 1.2 beta will also include numerous other
similar fixes which we have been working on for several weeks.

We strongly recommend users of Apache 1.1.1 do _one_ of the following:

  1) Download a copy of 1.1.2 from http://www.apache.org/dist/, compile and
     install it.
  2) Apply the patches below to their 1.1.1 installations
  3) Discontinue use of the cookie module and turn "indexes" off.
  4) Upgrade to a beta of 1.2

On a similar note, we are holding the next beta of 1.2 while we work on a
general solution to memory stack scribbling.  We hope to release it within the
next week.

Many thanks to Secure Networks Inc. for finding the hole in mod_cookies
and providing the patch, and the members of the BugTraq mailing list for
bringing the directory indexing hole to our attention.  An advisory on
the first hole may be found starting Monday at

  ftp://ftp.secnet.com/pub/advisories/APACHE_MOD.advisory.1.13.97


*How to use the attached patches*

Attached to this message are two patches.  Save them into your "src"
subdirectory of your Apache installation, and then do the following:

  patch < mod_cookies_security.patch
  patch < directoryindex_security.patch
  make

You should then have a new "httpd" executable.


*How to turn off the features*

With the following changes you should not need to modify the 1.1.1 code.

  1) Recompile the server without mod_cookies.c.  If you're running the
     default set of modules, this is already left out.
  2) Turn off directory indexing by making sure none of your "Options"
     directives say either "Indexes" or "All".


*Conclusion*

Once again many thanks to SNI for locating the hole, and for everyone out
there who assists with bug fixes and security checks.

The worst security hole is the one which few people know exists.


        Brian

--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
brian@organic.com  www.apache.org  hyperreal.com  http://www.organic.com/JOBS