mod_rewrite vulnerability

[sparrow@…]

lighttpd-1.4.18

lighttpd.conf:

$HTTP["host"] =~ "^(www\.)?(.)(.*)\.abc\.de:81$" {
    server.document-root = "/home/abc_de"

    url.rewrite-once = (
        # files
--------->        "^/files/(.*)$" => "/users/%2/%2%3/files/$1",

        # site
        "^(.*)$" => "/users/%2/%2%3/index.php/$1"
    )
}

request:

telnet test.abc.de 81

---------> GET /files/../settings/myfile.gz HTTP/1.1
Host: abc.de:81
User-Agent: Mozilla/5.0 (X11; U; Linux i686; pl; rv:1.8.1.6) Gecko/20070830 Firefox/2.0.0.6
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: pl,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive

log:

(response.c.205) -- splitting Request-URI

******************************************************************************************************
**** Rewrite: ^/files/(.*)$
******************************************************************************************************

(response.c.206) Request-URI  :  /files/../settings/myfile.gz
(response.c.207) URI-scheme   :  http
(response.c.208) URI-authority:  test.abc.de:81
(response.c.209) URI-path     :  /files/../settings/myfile.gz
(response.c.210) URI-query    :
(response.c.205) -- splitting Request-URI
(response.c.206) Request-URI  :  /users/t/test/files/../settings/myfile.gz
(response.c.207) URI-scheme   :  http
(response.c.208) URI-authority:  test.abc.de:81
(response.c.209) URI-path     :  /users/t/test/files/../settings/myfile.gz
(response.c.210) URI-query    :
(response.c.260) -- sanatising URI

******************************************************************************************************
**** Vulnerability **** (response.c.261) URI-path     :  /users/t/test/settings/myfile.gz
******************************************************************************************************

(mod_access.c.135) -- mod_access_uri_handler called
(response.c.375) -- before doc_root
(response.c.376) Doc-Root     : /home/abc_de
(response.c.377) Rel-Path     : /users/t/test/settings/myfile.gz
(response.c.378) Path         :
(response.c.426) -- after doc_root
(response.c.427) Doc-Root     : /home/abc_de
(response.c.428) Rel-Path     : /users/t/test/settings/myfile.gz
(response.c.429) Path         : /home/abc_de/users/t/test/settings/myfile.gz
(response.c.446) -- logical -> physical
(response.c.447) Doc-Root     : /home/abc_de
(response.c.448) Rel-Path     : /users/t/test/settings/myfile.gz
(response.c.449) Path         : /home/abc_de/users/t/test/settings/myfile.gz
(response.c.466) -- handling physical path
(response.c.467) Path         : /home/abc_de/users/t/test/settings/myfile.gz
(response.c.474) -- file found
(response.c.475) Path         : /home/abc_de/users/t/test/settings/myfile.gz
(response.c.613) -- handling subrequest
(response.c.614) Path         : /home/abc_de/users/t/test/settings/myfile.gz
(mod_access.c.135) -- mod_access_uri_handler called
(mod_staticfile.c.394) -- handling file as static file
(response.c.625) -- subrequest finished
(response.c.114) Response-Header:
HTTP/1.1 200 OK
Content-Type: application/x-gzip
Accept-Ranges: bytes
ETag: "210873236"
Last-Modified: Sun, 30 Sep 2007 02:03:03 GMT
Content-Length: 6057
Date: Sun, 30 Sep 2007 13:50:39 GMT
Server: Apache Server

[lukasz/@…]

If I understand it correctly, the problem comes from rewriting URLs before sanitizing them - it leads to directory traversal vulnerability in the above example. Is it behavior by design? How should such rules be written then? Can someone confirm the bug?

[stbuehler]

I think you could just write your own vhost plugin, use the mysql one or use a script to generate the config.

As mod_rewrite matches the request.uri, it would not help to move it after sanitizing.
We have to:

• Move it from uri_raw to uri_clean handler (path gets sanitised between)
• Build a sanitised request-uri

See attached patch.

[stbuehler]

See similar problem #1720. Fixed.