Hi,
I found a bug whereby Apache 1.3.22 inconsistently handles the interaction between aliases to non-existant paths and authentication. If the alias is specified as an absolute path then a 401 is always served, but if the alias is a relative path then in some cases a 404 will be served. I don't see this as a security threat -- "an attacker could see that you are dozy and have specified non-existant paths" doesn't really instill fear -- but it nevertheless is leaking information which it probably shouldn't. To test it for yourselves, take one apache-1.3.22 tarball, configure, make and make install. I did it in /usr/local/apache, so you'll probably want to sed the patch if you try it somewhere else. $ cd /usr/local/apache $ patch -p0 < httpd.conf.patch # attached $ mv htdocs/manual . $ ln -s nowhere htdocs/broken $ bin/apachectl start Finally, run test.sh. An annotated version of its output is as follows: * Not an alias and not present in the docroot http://localhost:8080/Xmanual 401 http://localhost:8080/Xmanual/ 401 * Alias to an existing path http://localhost:8080/0manual 401 http://localhost:8080/0manual/ 401 * Aliases to non-existant relative paths http://localhost:8080/1manual 401 http://localhost:8080/1manual/ 404 <<<<<< http://localhost:8080/2manual 404 <<<<<< http://localhost:8080/2manual/ 404 <<<<<< http://localhost:8080/3manual 404 <<<<<< http://localhost:8080/3manual/ 404 <<<<<< http://localhost:8080/4manual 401 http://localhost:8080/4manual/ 404 <<<<<< * Aliases to non-existant absolute paths http://localhost:8080/5manual 401 http://localhost:8080/5manual/ 401 http://localhost:8080/6manual 401 http://localhost:8080/6manual/ 401 http://localhost:8080/7manual 401 http://localhost:8080/7manual/ 401 http://localhost:8080/8manual 401 http://localhost:8080/8manual/ 401 * Aliases to a relative path to a broken symlink http://localhost:8080/9manual 401 http://localhost:8080/9manual/ 404 <<<<<< http://localhost:8080/Amanual 404 <<<<<< http://localhost:8080/Amanual/ 404 <<<<<< http://localhost:8080/Bmanual 404 <<<<<< http://localhost:8080/Bmanual/ 404 <<<<<< http://localhost:8080/Cmanual 401 http://localhost:8080/Cmanual/ 404 <<<<<< * Aliases to an absolute path to a broken symlink http://localhost:8080/Dmanual 401 http://localhost:8080/Dmanual/ 401 http://localhost:8080/Emanual 401 http://localhost:8080/Emanual/ 401 http://localhost:8080/Fmanual 401 http://localhost:8080/Fmanual/ 401 http://localhost:8080/Gmanual 401 http://localhost:8080/Gmanual/ 401 I don't know whether you'd prefer it to return a 401 or a 404 (it follows the alias, but the new path isn't valid, and if the new path isn't valid then why apply directory stuff to it?) Personally I prefer returning a 401, but that's not my choice to make. Either way, the fact that it is inconsistent is not good. Cheers, and Merry Christmas, Gary [ [EMAIL PROTECTED] ][ GnuPG 85A8F78B ][ http://inauspicious.org/ ]
--- conf/httpd.conf.default Fri Dec 21 14:37:10 2001 +++ conf/httpd.conf Fri Dec 21 15:13:10 2001 @@ -293,6 +293,10 @@ <Directory /> Options FollowSymLinks AllowOverride None + AuthName "user access" + AuthType Basic + AuthUserFile conf/htpasswd + Require valid-user </Directory> # @@ -549,6 +553,26 @@ Allow from all </Directory> + # A bunch of aliases with which to test the problem + # + Alias /0manual/ /usr/local/apache/manual/ + Alias /1manual/ manual/ + Alias /2manual manual/ + Alias /3manual manual + Alias /4manual/ manual + Alias /5manual/ /usr/local/apache/not/a/path/ + Alias /6manual /usr/local/apache/not/a/path/ + Alias /7manual /usr/local/apache/not/a/path + Alias /8manual/ /usr/local/apache/not/a/path + Alias /9manual/ broken/ + Alias /Amanual broken/ + Alias /Bmanual broken + Alias /Cmanual/ broken + Alias /Dmanual/ /usr/local/apache/htdocs/broken/ + Alias /Emanual /usr/local/apache/htdocs/broken/ + Alias /Fmanual /usr/local/apache/htdocs/broken + Alias /Gmanual/ /usr/local/apache/htdocs/broken + # This Alias will project the on-line documentation tree under /manual/ # even if you change the DocumentRoot. Comment it if you don't want to # provide access to the on-line documentation.
test.sh
Description: Bourne shell script