Received: (qmail 36893 invoked by uid 501); 28 Oct 2001 00:09:46 -0000 Message-Id: <20011028000946.36892.qmail@apache.org> Date: 28 Oct 2001 00:09:46 -0000 From: Iain Truskett Reply-To: ict@eh.org To: submit@bugz.apache.org Subject: Multiviews clearing query_string X-Send-Pr-Version: 3.110 >Number: 8628 >Category: mod_negotiation >Synopsis: Multiviews clearing query_string >Confidential: no >Severity: non-critical >Priority: medium >Responsible: apache >State: closed >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Mon Oct 29 00:00:02 PST 2001 >Closed-Date: Tue Dec 18 07:41:58 PST 2001 >Last-Modified: Tue Dec 18 07:41:58 PST 2001 >Originator: ict@eh.org >Release: 1.3.22 >Organization: >Environment: linux 2.2.14-5.0 #1 (redhat 6.1) gcc version egcs-2.91.66 19990314/Linux (egcs-1.1.2 release) and also: linux 2.4.2-2 #1 (redhat 7.1) gcc version 2.96 20000731 (Red Hat Linux 7.1 2.96-81) >Description: Basically, if Apache has to resolve a URI using multiviews, then it discards the query_string part of the request. In the examples below, you will note that QUERY_STRING has content with the qtest.cgi requests, but not with the qtest requests. It's quite possible that this bug was introduced as a sideeffect to fixing the bug mentioned in the 1.3.22 release notes, but don't hold me to that: * A vulnerability was found when Multiviews are used to negotiate the directory index. In some configurations, requesting a URI with a QUERY_STRING of M=D could return a directory listing rather than the expected index page. CAN-2001-0731 The qtest.cgi script consists of: --------------------------------------------- #!/usr/bin/perl -w use strict; use CGI; use Data::Dumper; my $q = new CGI; print $q->header(), $q->start_html('Hi!'); print $q->pre(Dumper(\%ENV,$q->param)); print $q->end_html; --------------------------------------------- >How-To-Repeat: http://brucehall.anu.edu.au/qtest?test=ict http://brucehall.anu.edu.au/qtest.cgi?test=ict http://brucehall.anu.edu.au/qtest.cgi/?test=ict http://brucehall.anu.edu.au/qtest/?test=ict >Fix: If only. >Release-Note: >Audit-Trail: State-Changed-From-To: open-closed State-Changed-By: wrowe State-Changed-When: Tue Dec 18 07:41:57 PST 2001 State-Changed-Why: This will be fixed in the next (.23) release. Thanks for your report! >Unformatted: [In order for any reply to be added to the PR database, you need] [to include in the Cc line and make sure the] [subject line starts with the report component and number, with ] [or without any 'Re:' prefixes (such as "general/1098:" or ] ["Re: general/1098:"). If the subject doesn't match this ] [pattern, your message will be misfiled and ignored. The ] ["apbugs" address is not added to the Cc line of messages from ] [the database automatically because of the potential for mail ] [loops. If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request from a ] [developer. Reply only with text; DO NOT SEND ATTACHMENTS! ]