Received: (qmail 28577 invoked by uid 2012); 20 Jan 1998 09:27:30 -0000 Message-Id: <19980120092730.28576.qmail@hyperreal.org> Date: 20 Jan 1998 09:27:30 -0000 From: Lauri Jesmin Reply-To: jesmin@ut.ee To: apbugs@hyperreal.org Subject: UserDir and absoluthe path. X-Send-Pr-Version: 3.2 >Number: 1701 >Category: mod_userdir >Synopsis: UserDir and absoluthe path. >Confidential: no >Severity: non-critical >Priority: medium >Responsible: apache >State: closed >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Tue Jan 20 01:30:00 PST 1998 >Last-Modified: Sat Feb 14 05:47:21 PST 1998 >Originator: jesmin@ut.ee >Organization: >Release: 1.2.5 >Environment: This problem was discovered under RedHat 5.0 with linux 2.0.33 and also works with irix 6.3. In both cases compiled with gcc. >Description: If we set UserDir to an absolute path (UserDir /home/web/ for example) then apache just adds username to this directory (for ~foo is /home/web/foo). But it's possible to give . or .. as username. So if you try to access ~. you can see the listing of UserDir (in our example /home/web) if there is no index.html or equivalent. And if we use .. as username, so we try to access ~.. in server, we can see one directory up from UserDir (/home in our example). If we use ~../.. as username, the handling seems to be correct. >How-To-Repeat: Just set the UserDir to /tmp and watch your /tmp directory and / directory from browser. >Fix: Probably check for username if UserDir is given as absolute path and if it is . or .. , deny access. >Audit-Trail: State-Changed-From-To: open-analyzed State-Changed-By: marc State-Changed-When: Tue Jan 20 07:28:10 PST 1998 State-Changed-Why: Grr. You are correct. While this problem hopefully doesn't impact too many people too seriously (since most people don't use that form of userdir, and even if they do on most systems it would only let people get a listing of what they can get anyway. On some systems, however, it is more serious. "UserDir DISABLED .." should work around the problem on 1.3 systems. State-Changed-From-To: analyzed-closed State-Changed-By: dgaudet State-Changed-When: Sat Feb 14 05:47:21 PST 1998 State-Changed-Why: Patches committed to 1.2.6-dev and 1.3b6-dev. >Unformatted: [In order for any reply to be added to the PR database, ] [you need to include in the Cc line ] [and leave the subject line UNCHANGED. This is not done] [automatically because of the potential for mail loops. ]