https://issues.apache.org/bugzilla/show_bug.cgi?id=45959
--- Comment #10 from Paul B. Henson <[EMAIL PROTECTED]> 2008-11-14 19:49:33 PST --- I've done some further testing, and confirmed that this is only a problem if the included symbolic link is in the same directory as the shtml file. Consider the following file served via apache: $ ls -l /export/user/henson/www/ total 2-rw-------+ 1 henson csupomona 13 Nov 14 19:24 secured.html For the sake of discussion, assume this file is readable by the web server, but restricted to require authentication. Now, another user creates a symbolic link to that file: $ ls -l /export/user/astudent/www/symlink.html lrwxrwxrwx 1 astudent csupomona 36 Nov 14 19:31 /export/user/astudent/www/symlink.html ->/export/user/henson/www/secured.html Attempting to access the symbolic link directly fails, as SymlinkIfOwnerMatch is configured: $ curl http://stan.unx.csupomona.edu/~astudent/symlink.html <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don't have permission to access /~astudent/symlink.html on this server.</p> </body></html> [Fri Nov 14 19:29:06 2008] [error] [client 134.71.248.140] Symbolic link not allowed or link target not accessible: /export/user/astudent/www/symlink.html Now, the user creates an SSI file: $ ls -l /export/user/astudent/www/symlink_ssi.html -rw-r--r--+ 1 astudent csupomona 40 Nov 14 19:27 /export/user/astudent/www/symlink_ssi.shtml Whose contents are: $cat /export/user/astudent/www/symlink_ssi.shtml <!--#include virtual="/~astudent/symlink.html" --> Accessing this file: $ curl http://stan.unx.csupomona.edu/~astudent/symlink_ssi.shtml Secret data. Returns the restricted data, bypassing the SymlinkIfOwnerMatch configuration directive. As I discovered, this appears to be a bug in ap_directory_walk. Let's say we move the SSI file to a subdirectory: $ ls -l /export/user/astudent/www/subdir/symlink_ssi.shtml -rw-r--r--+ 1 astudent csupomona 40 Nov 14 19:27 /export/user/astudent/www/subdir/symlink_ssi.shtml Attempting to request it then fails as expected: $ curl http://stan.unx.csupomona.edu/~astudent/subdir/symlink_ssi.shtml [an error occurred while processing this directive] [Fri Nov 14 19:37:04 2008] [error] [client 134.71.248.140] Symbolic link not allowed or link target not accessible: /export/user/astudent/www/symlink.html [Fri Nov 14 19:37:04 2008] [error] [client 134.71.248.140] unable to include "/~astudent/symlink.html" in parsed file /export/user/astudent/www/subdir/symlink_ssi.shtml The exact same include behaves differently depending on whether or not the included file happens to be in the same directory as the SSI. Again, this would appear to be a security bug to me. Not a critical one by any means, but still a security bug. I would greatly appreciate some feedback from a developer on this issue. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
