Because Apache is complex, coding errors are possible. Fortunately, Apache is mature enough that this is not a frequent occurrence, and occasionally, overlooked errors are found and fixed. This chapter covers some basics of Apache’s vulnerabilities and recent known security problems. (From Hardening Apache by Tony Mobily, Apress, 2004, ISBN: 1590593782.)
Exploiting this problem, an attacker can view the list of files stored in a directory, even if an index.html file is present, if an extraordinary number of slashes (/) are sent to Apache in the requested resource. A request made this way would look like this:
GET ////////////////////////////////////////////// HTTP/1.1
The number of slashes depends on the attacked server.
The attacker can also view the content of any file, if its correct file name is placed where the slashes would have been:
GET ////////////////////////////////////a_file.txt HTTP/1.1
This is an example of a perfectly legal HTTP request that causes problems for Apache (RFC 2396 explains what the syntactic components of a URI are, and of course there is no mention of a limitation on the number of slashes that a URI can have).
The first resource provided by CVE is the Apache announcement:
BUGTRAQ:20010312 FORW: [ANNOUNCE] Apache 1.3.19 Released
It is a link to BUGTRAQ. Using BUGTRAQ’s mail archive at http://www.securityfocus.com/archive/1, you can find the messages posted on March 12, 2001 (from 20010312). Figure 2-1 shows the message: the problem was acknowledged and fixed by the Apache Group. This is enough to prove that a problem actually was there.
Figure 2-1. The message on BUGTRAQ that confirms the problem
This chapter is from Hardening Apache, by Tony Mobily. (Apress, 2004, ISBN: 1590593782). Check it out at your favorite bookstore today. Buy this book now.