CAN-2001-0925: Requests Can Cause Directory Listing to Be Displayed

This vulnerability is listed at http://www.apacheweek.com/features
/security-13. Detailed information about this problem is documented here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0925.

Exploiting this problem, an attacker can view the list of files stored in a directory, even if an index.html file is present, if an extraordinary number of slashes (/) are sent to Apache in the requested resource. A request made this way would look like this:

GET ////////////////////////////////////////////// HTTP/1.1

The number of slashes depends on the attacked server.

The attacker can also view the content of any file, if its correct file name is placed where the slashes would have been:

GET ////////////////////////////////////a_file.txt HTTP/1.1

This is an example of a perfectly legal HTTP request that causes problems for Apache (RFC 2396 explains what the syntactic components of a URI are, and of course there is no mention of a limitation on the number of slashes that a URI can have).

The first resource provided by CVE is the Apache announcement:

BUGTRAQ:20010312 FORW: [ANNOUNCE] Apache 1.3.19 Released

It is a link to BUGTRAQ. Using BUGTRAQ’s mail archive at http://www.securityfocus.com/archive/1, you can find the messages posted on March 12, 2001 (from 20010312). Figure 2-1 shows the message: the problem was acknowledged and fixed by the Apache Group. This is enough to prove that a problem actually was there.

Figure 2-1. The message on BUGTRAQ that confirms the problem

This chapter is from Hardening Apache, by Tony Mobily. (Apress, 2004, ISBN: 1590593782). Check it out at your favorite bookstore today. Buy this book now.