logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Third-party Modules View previous topic :: View next topic
Reply to topic   Topic: mod_xsendfile security vulnerability
Author
jabaltie



Joined: 02 Aug 2006
Posts: 12
Location: Brazil

PostPosted: Wed 09 Aug '06 16:32    Post subject: mod_xsendfile security vulnerability Reply with quote

I have installed mod_xsendfile and it's working OK. Thanks to Mr Maier and Mr Steffen who helped me to get there.

Now, my scripts are issuing the header and Apache is interpreting it correctly, sending the designated file to the client.

However, the problem is that the X-SENDFILE header is appearing at client side, showing the internal file system path to the end user.

This is a security vulnerability.

Notice that the original x-sendfile from Lighty, from where this module was inspired, DOES NOT DO THAT. That is, Lighty http server "swallows" this header. It does not show that information to the end user.
Back to top
tdonovan
Moderator


Joined: 17 Dec 2005
Posts: 611
Location: Milford, MA, USA

PostPosted: Tue 15 Aug '06 16:34    Post subject: Reply with quote

I'm not seeing that. On Windows using Steffen's mod_xsendfile, I see this response:
Quote:
GET /xsendfile.cfm HTTP/1.1
Host: localhost

HTTP/1.1 200 OK
Date: Tue, 15 Aug 2006 14:25:01 GMT
Server: Apache/2.2.2 (Win32) mod_ssl/2.2.2 OpenSSL/0.9.8b JRun/4.0 PHP/5.1.4
Content-Disposition: attachment; filename="test.zip"
Last-Modified: Sat, 29 Jan 2005 21:53:57 GMT
Content-Length: 11981
ETag: "b7765-2ecd-d1e69b64"
Content-Type: application/zip

PK??{zipfile}


The X-SENDFILE header is gone (as it should be), and the original filename isn't visible.
I got mod_xsendfile from http://www.apachelounge.com/download/
Back to top
jabaltie



Joined: 02 Aug 2006
Posts: 12
Location: Brazil

PostPosted: Tue 15 Aug '06 16:48    Post subject: Reply with quote

What is your script issuing ?

Can you try your script to issue something simpler ?

In my case, the script is issuing this :

Pragma1: some comments of my own
Pragma2: yet some more comments
Content-Type: text/html
X-Sendfile: d:\gttmp\afile.htm

Can you try it and tell us ?

Also, let me know which Apache version are you using for Windows.
Back to top
tdonovan
Moderator


Joined: 17 Dec 2005
Posts: 611
Location: Milford, MA, USA

PostPosted: Thu 17 Aug '06 16:13    Post subject: Reply with quote

My test script is issuing:
Quote:
X-Sendfile: xsendfiles\t.zip
Content-Type: application/zip
Content-Disposition: attachment; filename="test.zip"


I tried a text file (text/html) and I had no problems with this either; either with or without the Content-disposition header.

The Server header in my previous post shows what version I am running:
Server: Apache/2.2.2 (Win32) mod_ssl/2.2.2 OpenSSL/0.9.8b JRun/4.0 PHP/5.1.4
This was built from source using Visual C++ 8.

Your filename d:\gttmp\afile.htm looks suspicious. XSendfile requires that the file be located below the webroot.
Back to top
jabaltie



Joined: 02 Aug 2006
Posts: 12
Location: Brazil

PostPosted: Tue 22 Aug '06 13:22    Post subject: Reply with quote

tdonovan wrote:
My test script is issuing:
Quote:
X-Sendfile: xsendfiles\t.zip
Content-Type: application/zip
Content-Disposition: attachment; filename="test.zip"


I tried a text file (text/html) and I had no problems with this either; either with or without the Content-disposition header.

The Server header in my previous post shows what version I am running:
Server: Apache/2.2.2 (Win32) mod_ssl/2.2.2 OpenSSL/0.9.8b JRun/4.0 PHP/5.1.4
This was built from source using Visual C++ 8.

Your filename d:\gttmp\afile.htm looks suspicious. XSendfile requires that the file be located below the webroot.


Here are some points :

    You're using version 2.2.2 whereas I'm on 2.0.58. I cant go to that version cause I use mod_FastCGI and this one has not been upgraded to this version. Please notice that this FastCGI is the official one, not the one which is published by this site.


    There's no problem when I put files outside the server root. The header is processed accordingly. The only fault is that this header will appear at client side.


I'm asking too much but, maybe you would like to run 2.0.58 and see what happens...
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7374
Location: Germany, Next to Hamburg

PostPosted: Tue 22 Aug '06 14:10    Post subject: Reply with quote

jabaltie did you try out the mod_fastcgi from apachelounge.com? Doesn't it work correcly?
Back to top
tdonovan
Moderator


Joined: 17 Dec 2005
Posts: 611
Location: Milford, MA, USA

PostPosted: Tue 22 Aug '06 16:22    Post subject: Reply with quote

The mod_xsendfile which Steffen built will only work with Apache 2.2.x - not with Apache 2.0.58. It says so in the "ReadMe First.txt" included in the .zip

I built an Apache 2.0.58 on Windows and also built a mod_xsendfile to use with it from the source code. Here are my exact steps:
Code:
I got the Apache 2.0.58 source code from the Apache archives
    http://archive.apache.org/dist/httpd/httpd-2.0.58-win32-src.zip

I set up my build environment for Visual C++ 2005 Express Edition
    and Microsoft Platform SDK for Windows Server 2003 R2
   
I built Apache 2.0.58 with this command:

    NMAKE /f Makefile.win   SERVERNAME="localhost" PORT=80 INSTDIR="C:\Program Files\Apache Group\Apache2058"   _apacher

I installed Apache 2.0.58 with this command:
   
    NMAKE /f Makefile.win   SERVERNAME="localhost" PORT=80 INSTDIR="C:\Program Files\Apache Group\Apache2058"   installr

I downloaded the mod_xsendfile source from http://celebnamer.celebworld.ws/stuff/mod_xsendfile/mod_xsendfile.c

I built mod_xsendfile.so with this command:

    CL /I"C:\Program Files\Apache Group\Apache2058\include" mod_xsendfile.c /LD /Femod_xsendfile.so /DWIN32 /link "C:\Program Files\Apache Group\Apache2058\lib\*.lib"
   
I copied mod_xsendfile.so to "C:\Program Files\Apache Group\Apache2058\modules\"

I edited my httpd.conf and added these two lines:

    LoadModule xsendfile_module modules/mod_xsendfile.so
    XSendFile on

It works fine for me - the correct files are sent and no X-SENDFILE header is sent to client.

Whenever I attempt to send a file which is not under the webroot I get this error in my log:
[Tue Aug 22 09:46:04 2006] [error] [client 127.0.0.1] (20023)The given path was above the root path: xsendfile: unable to find file: C:\\TEMP\\test.txt
and the client receives a "404 Not Found" error.

I noticed that your post of August 02 points to your Apache apache2.conf file. In it you have the directive "XsendFileAllowAbove on"
What's this about? There's no such directive in the mod_xsendfile version 0.8, Copyright 2006 by Nils Maier,
which I downloaded from http://celebnamer.celebworld.ws/stuff/mod_xsendfile/mod_xsendfile.c

Perhaps you are not using the same mod_xsendfile code that I (and Steffen) are using? The flag APR_FILEPATH_SECUREROOT in mod_xsendfile.c is what causes this behavior. If this flag is removed from the call to apr_filepath_merge, then files would not need to be under the webroot.

-tom-
Back to top
tdonovan
Moderator


Joined: 17 Dec 2005
Posts: 611
Location: Milford, MA, USA

PostPosted: Sat 26 Aug '06 17:52    Post subject: Reply with quote

Hi jabaltie,

Did you ever get mod_xsendfile running to your satisfaction on 2.0.58?

Just curious...

-tom-
Back to top
jabaltie



Joined: 02 Aug 2006
Posts: 12
Location: Brazil

PostPosted: Mon 28 Aug '06 15:45    Post subject: Reply with quote

tdonovan wrote:
Hi jabaltie,

Did you ever get mod_xsendfile running to your satisfaction on 2.0.58?

Just curious...

-tom-


First of all, thank you SO MUCH ! You are being very helpful.

No, I'm not satisfied.

I wanna run 2.2.2 but I cant have official FastCGI compiled for it. The one which is published here at this site is not the official FastCGI.

On the other hand, mod_xsendfile needed 2.2.2.

So, I'm between the cross and the sword, as we say here in Brazil.

I guess I'll try to build mod_xsendfile from the instructions above.

As for the XsendFileAllowAbove on I guess the author suggested it.

Thanks again !

I'll let you know about my results, of course.
Back to top
jabaltie



Joined: 02 Aug 2006
Posts: 12
Location: Brazil

PostPosted: Mon 28 Aug '06 16:06    Post subject: Reply with quote

Well I tried to compile it but got lost ...

I thought about something way, way simpler :

Would you be so kind to send me that mod_xsendfile.so that you successfully compiled there at your side for 2.0.58 ?

What do you think ?

If so, you may send to my email : jabaltie at unimep dot br (it's not dot com !)

Once more, thank you !
Back to top


Reply to topic   Topic: mod_xsendfile security vulnerability View previous topic :: View next topic
Post new topic   Forum Index -> Third-party Modules