CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
79.3%
The Apache (1.3.14) web server’s file access protection scheme can be bypassed for the Mac OS X HFS+ filesystem.
The Apache web server’s file access protection scheme (i.e., file request “filtering”) assumes that the filesystem being protected is case sensitve. For example, in a case sensitive file system, such as UFS (the UNIX file system), the file name “ANY_file” and “any_FILE” refer to different files. The Mac’s HFS+ filesystem is case insensitve (e.g., the names “ANY_file”, “any_FILE”, and “any_file” all refer to the same file) . Under the Apache file access protection scheme you specify the directory (e.g., /ANY_directory) or filename (e.g., “/ANY_directory/ANY_file”) to be protected, but only directories or pathnames matchings the exact case you specify will be protected.
Under the Apache scheme, you specify whether to deny or allow access to a filesystem object (which can be a directory, filename, or URL). The specifications are called “directives”, which include <Directory>, <Files> and <Location> directives. See <http://httpd.apache.org/docs/mod/core.html#directory> for further information on directives. When you use a directive to deny access to a file or directory using the Apache web server under Mac OS X HFS+, the directive will NOT deny access to any other upper and lover case variation on the filename or directory.
Can bypass Apache file access protection, allowing remote unprivileged users to read privileged files.
Solution 1 - By default, Apache will allow access to any file mapped from a URL You should change the default to deny all access, and then use directives to override and allow access for only those directories and files that you want to be readable. Use regular expressions with directives such as <FilesMatch> and <DirectoryMatch> to cover upper and lover case variations. Be sure to thoroughly test your directives to ensure that Apache is properly allowing or denying access. The follwing advice is from the Apache web site (<http://httpd.apache.org/docs/mod/core.html#directory>):
**Note that the default Apache access for <Directory /> is**``**Allow from All**``**. This means that Apache will serve any file mapped from an URL. It is recommended that you change this with a block such as**`` `` <Directory /> Order Deny,Allow Deny from All </Directory> `` ``**and then override this for directories you**``**_want_**``** accessible. See the**``**_Security Tips_**``** (**``**<http://httpd.apache.org/docs/misc/security_tips.html>**``**) page for more details.**
Solution 2 - At least a partial fix (a shared object file “mod_hfs_apple.so”) is available on the Apple web site as part of thr Web Sharing version 1.0 released on 7-23-2001 – <http://www.apple.com/downloads/macosx/apple/websharingupdate.html> . This update fixes the problem when you specify protected directories (using the <Directory> and <Location> directives), but the fix may not work when you specify individual file names to be protected (using the <Files> directive. (See the 13-July-2001 message from Jacques Distler on the following web page: <http://www.macintouch.com/mosxreaderreports43.html>.) To overcome the case problem for individual filenames, you need to use the <FilesMatch> directive, and specify the filename using regular expressions that cover all upper and lower case variations. Even after applying this patch, it is recommended that you set the Apache default to deny all access, as described in solution 1 above.
Solution 3 - Use the UFS (Unix File System) instead of HFS+. UFS is case sensitive, so everything works as expected. Even if you use UFS, we still recommended that you set the Apache default to deny all access, as described in solution 1 above.
439395
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Updated: September 28, 2001
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23439395 Feedback>).
Updated: September 28, 2001
Affected
**Web Sharing Update**``
-- <http://www.apple.com/downloads/macosx/apple/websharingupdate.html> . (Post date: 7/23/2001) ``The Web Sharing Update delivers enhancements and security improvements to Apache, including support for the case-insensitive Mac OS Extended file system (HFS+), and the latest version of OpenSSH.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23439395 Feedback>).
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
This vulnerability was initially posted to the bugtraq mailing list (bugtraq ID 2852) by Stefan Arentz.
This document was written by Howard Lipson.
CVE IDs: | CVE-2001-0766 |
---|---|
Severity Metric: | 3.60 Date Public: |
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
79.3%