Date: Thu, 21 Jun 2001 17:08:35 -0400 (EDT)
From: EnGarde Secure Linux <[email protected]>
To: [email protected], [email protected]Subject: [ESA-20010620-02] apache directory listing vulnerability
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
+------------------------------------------------------------------------+
| EnGarde Secure Linux Security Advisory June 20, 2001 |
| http://www.engardelinux.org/ ESA-20010620-02 |
| |
| Package: apache |
| Summary: An attacker can bypass index files and retrieve a directory |
| listing. |
+------------------------------------------------------------------------+
EnGarde Secure Linux is a secure distribution of Linux that features
improved access control, host and network intrusion detection, Web
based secure remote management, complete e-commerce using AllCommerce,
and integrated open source security tools.
OVERVIEW
- --------
There is a vulnerability in apache by which an attacker can get a
directory listing even when an index file (such as index.html) is
present.
DETAIL
- ------
By sending apache a very long path containing slashes, an attacker can
trick mod_negotiation and mod_dir/mod_autoindex into displaying a
directory listing. This was fixed in apache version 1.3.18 (which was
an internal release not made available to the public). This updated
package will now return a 403 (FORBIDDEN) when such a request is made.
SOLUTION
- --------
All users should upgrade to the most recent version, as outlined in
this advisory. All updates can be found at:
ftp://ftp.engardelinux.org/pub/engarde/stable/updates/http://ftp.engardelinux.org/pub/engarde/stable/updates/http://ftp.ibiblio.org/pub/linux/distributions/engarde/stable/updates/
Before upgrading the package, the machine must either:
a) be booted into a "standard" kernel; or
b) have LIDS disabled.
To disable LIDS, execute the command:
# /sbin/lidsadm -S -- -LIDS_GLOBAL
To install the updated package, execute the command:
# rpm -Uvh <filename>
Once the updated package is installed, you need to restart it:
# /etc/init.d/httpd restart
To re-enable LIDS (if it was disabled), execute the command:
# /sbin/lidsadm -S -- +LIDS_GLOBAL
To verify the signature of the updated packages, execute the command:
# rpm -Kv <filename>
UPDATED PACKAGES
- ----------------
These updated packages are for EnGarde Secure Linux 1.0.1 (Finestra).
Source Packages:
SRPMS/apache-1.3.20-1.0.25.src.rpm
MD5 Sum: 23e58c358deef336067d165b51ed7b3d
Binary Packages:
i386/apache-1.3.20-1.0.25.i386.rpm
MD5 Sum: 084e9b7630af62f540e539e7a66af559
i686/apache-1.3.20-1.0.25.i686.rpm
MD5 Sum: aab4dc51aca297660eee675a56fc506b
REFERENCES
- ----------
Guardian Digital's public key:
http://ftp.engardelinux.org/pub/engarde/ENGARDE-GPG-KEY
Credit for the discovery of this bug goes to:
Martin Kraemer
Apache's Official Web Site:
http://httpd.apache.org/
Apache's Changelog:
http://httpd.apache.org/dist/httpd/CHANGES_1.3
- --------------------------------------------------------------------------
$Id: ESA-20010620-02-apache,v 1.3 2001/06/20 18:51:29 rwm Exp $
- --------------------------------------------------------------------------
Author: Ryan W. Maple, <[email protected]>
Copyright 2001, Guardian Digital, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE7MmJZHD5cqd57fu0RAm+hAJ41UiSJyHXoD1M0nzHi+M050ejezACgnWQj
xsg34aiQ4P/NzAw7P0xZDh8=
=d1NS
-----END PGP SIGNATURE-----
