Opened 12 years ago
Last modified 6 years ago
#38452 assigned defect
Information disclosure vulnerability with apache2 and other web servers
| Reported by: | vikingjs@… | Owned by: | ryandesign (Ryan Carsten Schmidt) |
|---|---|---|---|
| Priority: | High | Milestone: | |
| Component: | ports | Version: | 2.1.3 |
| Keywords: | Cc: | cooljeanius (Eric Gallager), neverpanic (Clemens Lang), mp@…, Schamschula (Marius Schamschula), pixilla (Bradley Giesbrecht) | |
| Port: | apache2 |
Description
Apple has identified a critical security issue that allows attackers to see the source code of Web pages. It is outlined here: http://packetstormsecurity.com/files/120820/Apple-Security-Advisory-2013-03-14-1.html. In summary, Passuing a url like: http://mydomain.com/index.p%E2%80%8Chp will dump the php of the file raw, rather than executing it on the server.
I have fixed the issue on my local machines by copying mod_hfs_apple.so from its preinstalled location (after updating MacOS), and adding an entry in https.conf to load that module.
Change History (16)
comment:1 Changed 12 years ago by danielluke (Daniel J. Luke)
comment:2 Changed 12 years ago by cooljeanius (Eric Gallager)
Generally security issues get "high" priority, don't they?
comment:4 Changed 12 years ago by ryandesign (Ryan Carsten Schmidt)
| Cc: | ryandesign@… added |
|---|
apache2 is my port but I'm unsure what action you want us to take. apache2 is already at the latest 2.2.x version. (The request to update to 2.4.x is #35824.)
comment:5 Changed 12 years ago by mf2k (Frank Schima)
It seems this is an issue with Apple's Apache 2, not the Macports one.
comment:6 Changed 12 years ago by ryandesign (Ryan Carsten Schmidt)
| Priority: | Normal → High |
|---|---|
| Summary: | Apache on HFS Critical Security Issue → PHP code disclosure vulnerability with apache2 and other web servers |
I am able to reproduce the issue with MacPorts apache2 @2.2.4 and php55-apache2handler @5.5.0alpha6, and also with lighttpd @1.4.32 and php55-fcgi @5.5.0alpha6. I have not tested other web servers or PHP versions. I need to see upstream apache / lighttpd / php bug reports to determine what we should do to fix it.
comment:7 Changed 12 years ago by ryandesign (Ryan Carsten Schmidt)
I have a feeling it's the web server's responsibility to fix this, not PHP's. I've emailed the developer of lighttpd about this and will now look into apache.
comment:8 Changed 12 years ago by vikingjs@…
Note that the specific exploit I provided exposed php code, but the hole is by no means limited to php. The exploit can be used to reveal any server-side scripting. A port of mod_hfs_apple seems like the most universal solution, if it's feasible.
comment:9 follow-up: 10 Changed 12 years ago by ryandesign (Ryan Carsten Schmidt)
| Cc: | cal@… added |
|---|---|
| Summary: | PHP code disclosure vulnerability with apache2 and other web servers → Information disclosure vulnerability with apache2 and other web servers |
Yes I realize that.
I have reported the problem to the Apache security list now too.
Porting mod_hfs_apple would perhaps help Apache but I don't think we should have to do that; the Apache developers should give us a secure web server out of the box. Also it would not help lighttpd. I have not tested nginx or other web servers.
comment:10 follow-up: 11 Changed 12 years ago by cooljeanius (Eric Gallager)
Replying to ryandesign@…:
Yes I realize that.
I have reported the problem to the Apache security list now too.
Porting mod_hfs_apple would perhaps help Apache but I don't think we should have to do that; the Apache developers should give us a secure web server out of the box.
I agree that Apache should provide a secure web server out of the box but I think we should port mod_hfs_apple anyway, regardless of this issue.
comment:11 follow-up: 12 Changed 12 years ago by ryandesign (Ryan Carsten Schmidt)
Replying to dluke@…:
I would be nice to have a macports port of mod_hfs_apple (probably from here http://opensource.apple.com/source/apache_mod_hfs_apple/) I'm not sure if the latest version there (11) has the fix for CVE-2013-0966, though.
I doubt it since it was last modified in 2011.
Replying to egall@…:
I agree that Apache should provide a secure web server out of the box but I think we should port mod_hfs_apple anyway, regardless of this issue.
Let's have a separate ticket for that.
comment:12 follow-up: 13 Changed 12 years ago by cooljeanius (Eric Gallager)
Replying to ryandesign@…:
Replying to egall@…:
I agree that Apache should provide a secure web server out of the box but I think we should port mod_hfs_apple anyway, regardless of this issue.
Let's have a separate ticket for that.
OK: #38461
comment:13 Changed 11 years ago by mp@…
Replying to egall@…:
Replying to ryandesign@…:
Replying to egall@…:
I agree that Apache should provide a secure web server out of the box but I think we should port mod_hfs_apple anyway, regardless of this issue.
Let's have a separate ticket for that.
OK: #38461
A solution is presented in comment:ticket:38461:7
For now it's only been tested on Tiger, but it should work on all OS X versions. Anyone willing to test is most welcome.
comment:15 Changed 7 years ago by jmroot (Joshua Root)
| Cc: | Schamschula pixilla added |
|---|
comment:16 Changed 6 years ago by mf2k (Frank Schima)
| Cc: | ryandesign removed |
|---|---|
| Owner: | changed from macports-tickets@… to ryandesign |
| Status: | new → assigned |
Is this still an issue?
I would be nice to have a macports port of mod_hfs_apple (probably from here http://opensource.apple.com/source/apache_mod_hfs_apple/) I'm not sure if the latest version there (11) has the fix for CVE-2013-0966, though.