Received: (qmail 93532 invoked by uid 501); 27 Jun 2001 09:37:20 -0000 Message-Id: <20010627093720.93529.qmail@apache.org> Date: 27 Jun 2001 09:37:20 -0000 From: Stipe Tolj Reply-To: tolj@wapme-systems.de To: submit@bugz.apache.org Subject: Security hole for restrictions for Cygwin 1.x X-Send-Pr-Version: 3.110 >Number: 7944 >Category: os-windows >Synopsis: Security hole for restrictions for Cygwin 1.x >Confidential: no >Severity: critical >Priority: medium >Responsible: apache >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Wed Jun 27 02:40:01 PDT 2001 >Closed-Date: >Last-Modified: >Originator: tolj@wapme-systems.de >Release: 1.3.20 >Organization: apache >Environment: $ uname-a CYGWIN_NT-4.0 WAPME-244 1.1.8(0.34/3/2) 2001-01-31 10:08 i686 unknown Cygwin 1.1.8 running on WinNT4sp6. >Description: Bill Stoddard has suggested to check this and it produced a SECURITY whole for the Cygwin 1.x platform! On WinNT and Win2000 operating systems running Apache for Cygwin requesting users may circumvent any restrictions using Windows canonical (shorten) filenames (based on 8.3 format). This problem arises from the underlying Cygwin 1.x layer which seems to make no differences how the file/dir is addressed. >How-To-Repeat: restrict a specific directory under DocumentRoot, i.e. # httpd.conf Order deny, allow Deny from all Allow from 10.0.0.2 Requesting /foobardir from 10.0.0.1 gets 403 Forbidden. Requesting /foobar~1 from 10.0.0.1 gets whatever the dir contains (indexing, etc.) >Fix: I'll check the sources to see if there is an implementation within the Windows specific parts and incorporate that for the Cygwin platform within the Unix based sources. Patch will be posted to new-httpd@apache.org. >Release-Note: >Audit-Trail: >Unformatted: [In order for any reply to be added to the PR database, you need] [to include in the Cc line and make sure the] [subject line starts with the report component and number, with ] [or without any 'Re:' prefixes (such as "general/1098:" or ] ["Re: general/1098:"). If the subject doesn't match this ] [pattern, your message will be misfiled and ignored. The ] ["apbugs" address is not added to the Cc line of messages from ] [the database automatically because of the potential for mail ] [loops. If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request from a ] [developer. Reply only with text; DO NOT SEND ATTACHMENTS! ]