Bug#524474: apache2: FollowSymlinks / SymlinksIfOwnerMatch ignored with server-side-includes

Fri, 17 Apr 2009 05:28:36 -0700 

Package: apache2
Version:  2.2.9-10+lenny2
Severity: grave
Tags: patch security lenny sid

1. BUG DESCRIPTION

The Options settings "FollowSymlinks" and "SymlinksIfOwnerMatch"
are ignored for files included using SSI when the files are symlinks
and located in the same directory.

Even when the "FollowSymlinks" and "SymlinksIfOwnerMatch"
are NOT set, symlinks are still followed, and ownership is not checked.

This means a user can set a symlink to any file on the system
readable by the Apache user, even outside the DocumentRoot,
and read it through HTTP, even if the administrator
disabled this by not setting "FollowSymlinks" and "SymlinksIfOwnerMatch".

The bug is present in all current 2.2.x versions, so both in
2.2.9 (lenny) and 2.2.11 (sid).

2. HOW TO REPRODUCE

Reproduce with:

  * server settings

    Options FollowSymlinks # usually the default

    <VirtualHost testhost>
        ServerName testhost.test.tld
        <Directory /var/www/>
        Options Indexes IncludesNoExec # note no FollowSymlinks
    </VirtualHost>

  * index.shtml file:

    <Pre><!--#include file="foo.txt"--></Pre><P>
    <Pre><!--#include file="root_link_to_foo.txt"--><Pre><P>
    <Pre><!--#include file="user_link_to_foo.txt"--><Pre>

  * data files / links:

    -rw-r--r-- 1 root   root    25 Sep  7 11:47 foo.txt
    lrwxrwxrwx 1 root   root    10 Sep  7 12:32 root_link_to_foo.txt -> foo.txt
    lrwxrwxrwx 1 www    www      7 Sep  7 15:09 user_link_to_foo.txt -> foo.txt

    (the last link is used to check if SymlinksIfOwnerMatch works)

The index.shmtl files will now show the contents of 'foo.txt'
three times, even though it should error out on the symlinks.

3. PATCH

This issue has already been addressed by the Apache developers
and the fix will be included in the next 2.2.x and 2.3.x releases.

See:
https://issues.apache.org/bugzilla/show_bug.cgi?id=45959

The patch applies cleanly to 2.2.9 and works. It's here:
http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/server/request.c?r1=733754&r2=733753&pathrev=733754&view=patch

Mike.



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to