>Number: 1203
>Category: mod_include
>Synopsis: possible ../ attack in mod_include
>Confidential: no
>Severity: critical
>Priority: medium
>Responsible: apache (Apache HTTP Project)
>State: open
>Class: sw-bug
>Submitter-Id: apache
>Arrival-Date: Mon Oct 6 21:50:02 1997
>Originator: [EMAIL PROTECTED]
>Organization:
apache
>Release: 1.2, 1.3
>Environment:
n/a
>Description:
This code in handle_include:
/* be safe; only files in this directory or below allowed */
char tmp[MAX_STRING_LEN + 2];
ap_snprintf(tmp, sizeof(tmp), "/%s/", parsed_string);
if (parsed_string[0] == '/' || strstr(tmp, "/../") != NULL) {
error_fmt = "unable to include file \"%s\" "
"in parsed file %s";
}
Is broken if parsed_string overflows that buffer. It's possible to put
whatever crap at the beginning then loads of ../../../ after that, and they
won't be detected.
It also needs os_is_absolute_path abstraction.
It shouldn't use a tmp buffer to do this. It should be replaced by an
intelligent os abstracted function that checks for leading ../ and trailing
/.., and /../ anywhere else, and doesn't bother copying things around.
>How-To-Repeat:
>Fix:
see descriptio
>Audit-Trail:
>Unformatted:
