-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 +------------------------------------------------------------------------+ | EnGarde Secure Linux Security Advisory June 20, 2001 | | http://www.engardelinux.org/ ESA-20010620-02 | | | | Package: apache | | Summary: An attacker can bypass index files and retrieve a directory | | listing. | +------------------------------------------------------------------------+ EnGarde Secure Linux is a secure distribution of Linux that features improved access control, host and network intrusion detection, Web based secure remote management, complete e-commerce using AllCommerce, and integrated open source security tools. OVERVIEW - -------- There is a vulnerability in apache by which an attacker can get a directory listing even when an index file (such as index.html) is present. DETAIL - ------ By sending apache a very long path containing slashes, an attacker can trick mod_negotiation and mod_dir/mod_autoindex into displaying a directory listing. This was fixed in apache version 1.3.18 (which was an internal release not made available to the public). This updated package will now return a 403 (FORBIDDEN) when such a request is made. SOLUTION - -------- All users should upgrade to the most recent version, as outlined in this advisory. All updates can be found at: ftp://ftp.engardelinux.org/pub/engarde/stable/updates/ http://ftp.engardelinux.org/pub/engarde/stable/updates/ http://ftp.ibiblio.org/pub/linux/distributions/engarde/stable/updates/ Before upgrading the package, the machine must either: a) be booted into a "standard" kernel; or b) have LIDS disabled. To disable LIDS, execute the command: # /sbin/lidsadm -S -- -LIDS_GLOBAL To install the updated package, execute the command: # rpm -Uvh <filename> Once the updated package is installed, you need to restart it: # /etc/init.d/httpd restart To re-enable LIDS (if it was disabled), execute the command: # /sbin/lidsadm -S -- +LIDS_GLOBAL To verify the signature of the updated packages, execute the command: # rpm -Kv <filename> UPDATED PACKAGES - ---------------- These updated packages are for EnGarde Secure Linux 1.0.1 (Finestra). Source Packages: SRPMS/apache-1.3.20-1.0.25.src.rpm MD5 Sum: 23e58c358deef336067d165b51ed7b3d Binary Packages: i386/apache-1.3.20-1.0.25.i386.rpm MD5 Sum: 084e9b7630af62f540e539e7a66af559 i686/apache-1.3.20-1.0.25.i686.rpm MD5 Sum: aab4dc51aca297660eee675a56fc506b REFERENCES - ---------- Guardian Digital's public key: http://ftp.engardelinux.org/pub/engarde/ENGARDE-GPG-KEY Credit for the discovery of this bug goes to: Martin Kraemer Apache's Official Web Site: http://httpd.apache.org/ Apache's Changelog: http://httpd.apache.org/dist/httpd/CHANGES_1.3 - -------------------------------------------------------------------------- $Id: ESA-20010620-02-apache,v 1.3 2001/06/20 18:51:29 rwm Exp $ - -------------------------------------------------------------------------- Author: Ryan W. Maple, <ryanat_private> Copyright 2001, Guardian Digital, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7MmJZHD5cqd57fu0RAm+hAJ41UiSJyHXoD1M0nzHi+M050ejezACgnWQj xsg34aiQ4P/NzAw7P0xZDh8= =d1NS -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Thu Jun 21 2001 - 18:38:28 PDT