Lighttpd < 1.4.23 Source Code Disclosure Vulnerability (BSD/Solaris bug)

简介: Severe vulnerability due to a bug in FreeBSD, OS X and Solaris (
Severe vulnerability due to a bug in FreeBSD, OS X and Solaris (<10) filesystems affecting Lighttpd (<1.4.23)

A bug was discovered in the way FreeBSD, OS X and Solaris (prior version 10) handle symlinks appended with a slash (/).
Accessing a regular file through a symbolic link with appended slash succeeds because the slash apperently gets silently dropped.
On systems that do not expose this behaviour, a call to stat("symlink.php/") or open("symlink.php/") to a symlink
pointing to example.php, will not succeed and set errno to ENOTDIR. This is not the case on the systems mentioned.

The vulnerability arises when an application filters access to or decides how to handle a file based on a suffix match.
An attacker could circumvent normal behaviour by appended a slash to the filename, resulting in said access rules not applying.


Lighttpd in versions prior to 1.4.23 was not aware of this bug and therefor can be tricked by an attacker.
It decides how to process a request based on suffix rules provided in its config, usually matching "^.*/.php$".
The attacker can bypass this rule and gain access to the sourcecode of the .php file possibly revealing sensitive information like passwords.

Other applications, not only webservers, are probably vulnerable due to this flaw as well.

The bug has been known since at least the year 2000 but has remained unfixed to this day:
http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/21768

Lighttpd 1.4.23 will include a workaround for said problem to prevent attacks.
Bug report: http://redmine.lighttpd.net/issues/1989

Description

If you put a trailing slash / after the .php and that file is a link, it will just display the content of the file.

2009-05-22 13:40:37: (response.c.221) -- splitting Request-URI
2009-05-22 13:40:37: (response.c.222) Request-URI : /index.php/
2009-05-22 13:40:37: (response.c.223) URI-scheme : http
2009-05-22 13:40:37: (response.c.224) URI-authority: localhost
2009-05-22 13:40:37: (response.c.225) URI-path : /index.php/
2009-05-22 13:40:37: (response.c.226) URI-query :
2009-05-22 13:40:37: (response.c.254) -- sanatising URI
2009-05-22 13:40:37: (response.c.255) URI-path : /index.php/
2009-05-22 13:40:37: (response.c.221) -- splitting Request-URI
2009-05-22 13:40:37: (response.c.222) Request-URI : /index.php/
2009-05-22 13:40:37: (response.c.223) URI-scheme : http
2009-05-22 13:40:37: (response.c.224) URI-authority: localhost
2009-05-22 13:40:37: (response.c.225) URI-path : /index.php/
2009-05-22 13:40:37: (response.c.226) URI-query :
2009-05-22 13:40:37: (response.c.254) -- sanatising URI
2009-05-22 13:40:37: (response.c.255) URI-path : /index.php/
2009-05-22 13:40:37: (mod_access.c.135) -- mod_access_uri_handler called
2009-05-22 13:40:37: (response.c.391) -- before doc_root
2009-05-22 13:40:37: (response.c.392) Doc-Root : /work/websites/freesoft.com/htdocs/
2009-05-22 13:40:37: (response.c.393) Rel-Path : /index.php/
2009-05-22 13:40:37: (response.c.394) Path :
2009-05-22 13:40:37: (response.c.442) -- after doc_root
2009-05-22 13:40:37: (response.c.443) Doc-Root : /work/websites/freesoft.com/htdocs/
2009-05-22 13:40:37: (response.c.444) Rel-Path : /index.php/
2009-05-22 13:40:37: (response.c.445) Path : /work/websites/freesoft.com/htdocs/index.php/
2009-05-22 13:40:37: (response.c.462) -- logical -> physical
2009-05-22 13:40:37: (response.c.463) Doc-Root : /work/websites/freesoft.com/htdocs/
2009-05-22 13:40:37: (response.c.464) Rel-Path : /index.php/
2009-05-22 13:40:37: (response.c.465) Path : /work/websites/freesoft.com/htdocs/index.php/
2009-05-22 13:40:37: (response.c.482) -- handling physical path
2009-05-22 13:40:37: (response.c.483) Path : /work/websites/freesoft.com/htdocs/index.php/
2009-05-22 13:40:37: (response.c.490) -- file found
2009-05-22 13:40:37: (response.c.491) Path : /work/websites/freesoft.com/htdocs/index.php/
2009-05-22 13:40:37: (response.c.640) -- handling subrequest
2009-05-22 13:40:37: (response.c.641) Path : /work/websites/freesoft.com/htdocs/index.php/
2009-05-22 13:40:37: (mod_indexfile.c.151) -- handling the request as Indexfile
2009-05-22 13:40:37: (mod_indexfile.c.152) URI : /index.php/
2009-05-22 13:40:37: (mod_access.c.135) -- mod_access_uri_handler called
2009-05-22 13:40:37: (mod_staticfile.c.394) -- handling file as static file
2009-05-22 13:40:37: (response.c.652) -- subrequest finished
2009-05-22 13:40:37: (response.c.121) Response-Header:

# milw0rm.com [2009-05-26]
目录
相关文章
|
安全 Linux
Lighttpd 'mod_userdir' Case Sensitive Comparison Security Bypass Vulnerability
Description Hi, I run lighttpd 1.4.19 on Linux on top of a case-insensitive filesystem (JFS with OS/2 compatibility enabled).
858 0
Lighttpd URI Rewrite/Redirect Information Disclosure Vulnerability
  Description Dear lighty community, I am using lighty to serve a wiki; to have nice urls, i use the following in my lighttpd.
822 0
|
应用服务中间件 nginx
|
关系型数据库 应用服务中间件 Linux
|
应用服务中间件 Apache nginx
|
应用服务中间件 nginx
x86_64-linux-gnu/libgdk-x11-2.0.so: error adding symbols: DSO missing from command line
x86_64-linux-gnu/libgdk-x11-2.0.so: error adding symbols: DSO missing from command line
237 0
|
Web App开发 Linux
Linux有问必答:如何修复Chrome的"Your profile could not be opened correctly"
Linux有问必答:如何修复Chrome的"Your profile could not be opened correctly" 提问:当我在linux打开Google Chrome 浏览器时,我已经几次收到弹出窗口,提示我的配置文件没有被正确打开(Your profile could not be opened correctly.)。
1377 0