Your Daily Source for Apache News and Information  
Breaking News Preferences Contribute Triggers Link Us Search About
Apache Today [Your Apache News Source] To

Apache HTTPD Links
PHP Server Side Scripting
Apache-Perl Integration Project
Apache Project
The Apache Software Foundation
Apache Module Registry
The Jakarta Project
The Java Apache Project
The Apache FAQ
Apache-Related Projects
Apache XML Project

Internet News
Internet Investing
Internet Technology
Windows Internet Tech.
Linux/Open Source
Web Developer
ISP Resources
ASP Resources
Wireless Internet
Internet Resources
Internet Lists
Career Resources

Advertising Info
Corporate Info
EnGarde Linux advisory: Apache directory listing vulnerability
Jun 21, 2001, 21 :19 UTC (0 Talkback[s]) (2555 reads)

| EnGarde Secure Linux Security Advisory                   June 20, 2001 |
|                           ESA-20010620-02 |
|                                                                        |
| Package:  apache                                                       |
| Summary:  An attacker can bypass index files and retrieve a directory  |
|           listing.                                                     |

  EnGarde Secure Linux is a secure distribution of Linux that features
  improved access control, host and network intrusion detection, Web
  based secure remote management, complete e-commerce using AllCommerce,
  and integrated open source security tools.

- --------
  There is a vulnerability in apache by which an attacker can get a
  directory listing even when an index file (such as index.html) is

- ------
  By sending apache a very long path containing slashes, an attacker can
  trick mod_negotiation and mod_dir/mod_autoindex into displaying a
  directory listing.  This was fixed in apache version 1.3.18 (which was
  an internal release not made available to the public).  This updated
  package will now return a 403 (FORBIDDEN) when such a request is made.

- --------
  All users should upgrade to the most recent version, as outlined in
  this advisory.  All updates can be found at:

  Before upgrading the package, the machine must either:

    a) be booted into a "standard" kernel; or
    b) have LIDS disabled.

  To disable LIDS, execute the command:

    # /sbin/lidsadm -S -- -LIDS_GLOBAL

  To install the updated package, execute the command:

    # rpm -Uvh 

  Once the updated package is installed, you need to restart it:

    # /etc/init.d/httpd restart

  To re-enable LIDS (if it was disabled), execute the command:

    # /sbin/lidsadm -S -- +LIDS_GLOBAL

  To verify the signature of the updated packages, execute the command:

    # rpm -Kv 

- ----------------
  These updated packages are for EnGarde Secure Linux 1.0.1 (Finestra).

  Source Packages:

      MD5 Sum:  23e58c358deef336067d165b51ed7b3d

  Binary Packages:

      MD5 Sum:  084e9b7630af62f540e539e7a66af559

      MD5 Sum:  aab4dc51aca297660eee675a56fc506b

- ----------
  Guardian Digital's public key:

  Credit for the discovery of this bug goes to:
    Martin Kraemer

  Apache's Official Web Site:

  Apache's Changelog:

- --------------------------------------------------------------------------
$Id: ESA-20010620-02-apache,v 1.3 2001/06/20 18:51:29 rwm Exp $
- --------------------------------------------------------------------------
Author: Ryan W. Maple,  
Copyright 2001, Guardian Digital, Inc.

  Current Newswire:
NewsForge: VA spin-off releases first product, aims for profit

Apache 2.0.28 Released as Beta

Covalent Technologies announces industry support for Enterprise Ready Server and Apache 2.0 On the Security of PHP, Part 1

Apache/PHP-based Content Management System Release

HyperSpace Communications announces limited release of HyperSpace Accelerator software

Mod_xslt added to Apache Module Registry

SupportWizard broadens Apache support in response to Nimda and Code Red worms

SEWATCH: The Big List of Web Robots

Sun extends SOAP support across Sun ONE integrated product portfolio

No talkbacks posted.
Enter your comments below.
Your Name: Your Email Address:

Subject: CC: [will also send this talkback to an E-Mail address]

See our talkback-policy for or guidelines on talkback content.

About Triggers Media Kit Security Triggers Login

All times are recorded in UTC.
Linux is a trademark of Linus Torvalds.
Powered by Linux 2.4, Apache 1.3, and PHP 4
Copyright INT Media Group, Incorporated All Rights Reserved.
Legal Notices,  Licensing, Reprints, & Permissions,  Privacy Policy.