logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Apache Permission-Denial Bypass (2nd)
Author
Tape



Joined: 30 Nov 2015
Posts: 3

PostPosted: Sat 26 Mar '16 23:37    Post subject: Apache Permission-Denial Bypass (2nd) Reply with quote

When sending a specifically crafted request, Apache will bypass "403 Permission Denied" and serve the root directory index.php output.

Exploit:
In HTTP request header:
x8dxfb?drx04xc0x9bxf7x7fxc8x1axc7JZxc2

Confirmed on:
Apache/2.4.9 (Win64)

Config:
WAMP
Permissions set to deny everyone except set IP's via root .htaccess.

.htaccess:
ErrorDocument 404 /
<Limit GET POST>
order deny,allow
deny from all
allow from 127.0.0.1
allow from <FIRSTIP>
</Limit>
<Limit PUT DELETE CONNECT OPTIONS>
order deny,allow
deny from all
</Limit>
ErrorDocument 403 "http://<SECONDIP>/public /"

I found out about this because I saw entries in the access log like:
169.229.3.91 - - [26/Mar/2016:09:17:55 0100] "x8dxfb?drx04xc0x9bxf7x7fxc8x1axc7JZxc2" 200 2776
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg

PostPosted: Tue 29 Mar '16 10:25    Post subject: Reply with quote

What is your question?
Back to top
covener



Joined: 23 Nov 2008
Posts: 59

PostPosted: Wed 30 Mar '16 3:18    Post subject: Reply with quote

It's interpreted as an unknown method that PHP might understand. It's not covered by any access control requirements. One of the many ways to misuse Limit carelessly.
Back to top


Reply to topic   Topic: Apache Permission-Denial Bypass (2nd) View previous topic :: View next topic
Post new topic   Forum Index -> Apache