Author |
|
jabaltie
Joined: 02 Aug 2006 Posts: 12 Location: Brazil
|
Posted: Wed 09 Aug '06 16:32 Post subject: mod_xsendfile security vulnerability |
|
|
I have installed mod_xsendfile and it's working OK. Thanks to Mr Maier and Mr Steffen who helped me to get there.
Now, my scripts are issuing the header and Apache is interpreting it correctly, sending the designated file to the client.
However, the problem is that the X-SENDFILE header is appearing at client side, showing the internal file system path to the end user.
This is a security vulnerability.
Notice that the original x-sendfile from Lighty, from where this module was inspired, DOES NOT DO THAT. That is, Lighty http server "swallows" this header. It does not show that information to the end user. |
|
Back to top |
|
tdonovan Moderator
Joined: 17 Dec 2005 Posts: 611 Location: Milford, MA, USA
|
Posted: Tue 15 Aug '06 16:34 Post subject: |
|
|
I'm not seeing that. On Windows using Steffen's mod_xsendfile, I see this response:
Quote: | GET /xsendfile.cfm HTTP/1.1
Host: localhost
HTTP/1.1 200 OK
Date: Tue, 15 Aug 2006 14:25:01 GMT
Server: Apache/2.2.2 (Win32) mod_ssl/2.2.2 OpenSSL/0.9.8b JRun/4.0 PHP/5.1.4
Content-Disposition: attachment; filename="test.zip"
Last-Modified: Sat, 29 Jan 2005 21:53:57 GMT
Content-Length: 11981
ETag: "b7765-2ecd-d1e69b64"
Content-Type: application/zip
PK??{zipfile} |
The X-SENDFILE header is gone (as it should be), and the original filename isn't visible.
I got mod_xsendfile from http://www.apachelounge.com/download/ |
|
Back to top |
|
jabaltie
Joined: 02 Aug 2006 Posts: 12 Location: Brazil
|
Posted: Tue 15 Aug '06 16:48 Post subject: |
|
|
What is your script issuing ?
Can you try your script to issue something simpler ?
In my case, the script is issuing this :
Pragma1: some comments of my own
Pragma2: yet some more comments
Content-Type: text/html
X-Sendfile: d:\gttmp\afile.htm
Can you try it and tell us ?
Also, let me know which Apache version are you using for Windows. |
|
Back to top |
|
tdonovan Moderator
Joined: 17 Dec 2005 Posts: 611 Location: Milford, MA, USA
|
Posted: Thu 17 Aug '06 16:13 Post subject: |
|
|
My test script is issuing:
Quote: | X-Sendfile: xsendfiles\t.zip
Content-Type: application/zip
Content-Disposition: attachment; filename="test.zip" |
I tried a text file (text/html) and I had no problems with this either; either with or without the Content-disposition header.
The Server header in my previous post shows what version I am running:
Server: Apache/2.2.2 (Win32) mod_ssl/2.2.2 OpenSSL/0.9.8b JRun/4.0 PHP/5.1.4
This was built from source using Visual C++ 8.
Your filename d:\gttmp\afile.htm looks suspicious. XSendfile requires that the file be located below the webroot. |
|
Back to top |
|
jabaltie
Joined: 02 Aug 2006 Posts: 12 Location: Brazil
|
Posted: Tue 22 Aug '06 13:22 Post subject: |
|
|
tdonovan wrote: | My test script is issuing:
Quote: | X-Sendfile: xsendfiles\t.zip
Content-Type: application/zip
Content-Disposition: attachment; filename="test.zip" |
I tried a text file (text/html) and I had no problems with this either; either with or without the Content-disposition header.
The Server header in my previous post shows what version I am running:
Server: Apache/2.2.2 (Win32) mod_ssl/2.2.2 OpenSSL/0.9.8b JRun/4.0 PHP/5.1.4
This was built from source using Visual C++ 8.
Your filename d:\gttmp\afile.htm looks suspicious. XSendfile requires that the file be located below the webroot. |
Here are some points :
You're using version 2.2.2 whereas I'm on 2.0.58. I cant go to that version cause I use mod_FastCGI and this one has not been upgraded to this version. Please notice that this FastCGI is the official one, not the one which is published by this site.
There's no problem when I put files outside the server root. The header is processed accordingly. The only fault is that this header will appear at client side.
I'm asking too much but, maybe you would like to run 2.0.58 and see what happens... |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7374 Location: Germany, Next to Hamburg
|
Posted: Tue 22 Aug '06 14:10 Post subject: |
|
|
jabaltie did you try out the mod_fastcgi from apachelounge.com? Doesn't it work correcly? |
|
Back to top |
|
tdonovan Moderator
Joined: 17 Dec 2005 Posts: 611 Location: Milford, MA, USA
|
Posted: Tue 22 Aug '06 16:22 Post subject: |
|
|
The mod_xsendfile which Steffen built will only work with Apache 2.2.x - not with Apache 2.0.58. It says so in the "ReadMe First.txt" included in the .zip
I built an Apache 2.0.58 on Windows and also built a mod_xsendfile to use with it from the source code. Here are my exact steps:
Code: | I got the Apache 2.0.58 source code from the Apache archives
http://archive.apache.org/dist/httpd/httpd-2.0.58-win32-src.zip
I set up my build environment for Visual C++ 2005 Express Edition
and Microsoft Platform SDK for Windows Server 2003 R2
I built Apache 2.0.58 with this command:
NMAKE /f Makefile.win SERVERNAME="localhost" PORT=80 INSTDIR="C:\Program Files\Apache Group\Apache2058" _apacher
I installed Apache 2.0.58 with this command:
NMAKE /f Makefile.win SERVERNAME="localhost" PORT=80 INSTDIR="C:\Program Files\Apache Group\Apache2058" installr
I downloaded the mod_xsendfile source from http://celebnamer.celebworld.ws/stuff/mod_xsendfile/mod_xsendfile.c
I built mod_xsendfile.so with this command:
CL /I"C:\Program Files\Apache Group\Apache2058\include" mod_xsendfile.c /LD /Femod_xsendfile.so /DWIN32 /link "C:\Program Files\Apache Group\Apache2058\lib\*.lib"
I copied mod_xsendfile.so to "C:\Program Files\Apache Group\Apache2058\modules\"
I edited my httpd.conf and added these two lines:
LoadModule xsendfile_module modules/mod_xsendfile.so
XSendFile on
|
It works fine for me - the correct files are sent and no X-SENDFILE header is sent to client.
Whenever I attempt to send a file which is not under the webroot I get this error in my log:
[Tue Aug 22 09:46:04 2006] [error] [client 127.0.0.1] (20023)The given path was above the root path: xsendfile: unable to find file: C:\\TEMP\\test.txt
and the client receives a "404 Not Found" error.
I noticed that your post of August 02 points to your Apache apache2.conf file. In it you have the directive "XsendFileAllowAbove on"
What's this about? There's no such directive in the mod_xsendfile version 0.8, Copyright 2006 by Nils Maier,
which I downloaded from http://celebnamer.celebworld.ws/stuff/mod_xsendfile/mod_xsendfile.c
Perhaps you are not using the same mod_xsendfile code that I (and Steffen) are using? The flag APR_FILEPATH_SECUREROOT in mod_xsendfile.c is what causes this behavior. If this flag is removed from the call to apr_filepath_merge, then files would not need to be under the webroot.
-tom- |
|
Back to top |
|
tdonovan Moderator
Joined: 17 Dec 2005 Posts: 611 Location: Milford, MA, USA
|
Posted: Sat 26 Aug '06 17:52 Post subject: |
|
|
Hi jabaltie,
Did you ever get mod_xsendfile running to your satisfaction on 2.0.58?
Just curious...
-tom- |
|
Back to top |
|
jabaltie
Joined: 02 Aug 2006 Posts: 12 Location: Brazil
|
Posted: Mon 28 Aug '06 15:45 Post subject: |
|
|
tdonovan wrote: | Hi jabaltie,
Did you ever get mod_xsendfile running to your satisfaction on 2.0.58?
Just curious...
-tom- |
First of all, thank you SO MUCH ! You are being very helpful.
No, I'm not satisfied.
I wanna run 2.2.2 but I cant have official FastCGI compiled for it. The one which is published here at this site is not the official FastCGI.
On the other hand, mod_xsendfile needed 2.2.2.
So, I'm between the cross and the sword, as we say here in Brazil.
I guess I'll try to build mod_xsendfile from the instructions above.
As for the XsendFileAllowAbove on I guess the author suggested it.
Thanks again !
I'll let you know about my results, of course. |
|
Back to top |
|
jabaltie
Joined: 02 Aug 2006 Posts: 12 Location: Brazil
|
Posted: Mon 28 Aug '06 16:06 Post subject: |
|
|
Well I tried to compile it but got lost ...
I thought about something way, way simpler :
Would you be so kind to send me that mod_xsendfile.so that you successfully compiled there at your side for 2.0.58 ?
What do you think ?
If so, you may send to my email : jabaltie at unimep dot br (it's not dot com !)
Once more, thank you ! |
|
Back to top |
|