73520 2002-08-20  02:05  /42 rader/ Hector A. Paterno <apaterno@dsnargentina.com.ar>
Importerad: 2002-08-20  02:05  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <1176>
Ärende: Information disclosure on mod_auth ( apache 1.3.26 ) ?
------------------------------------------------------------
Hi, I have found  a discrepancy between mod_auth and ServerTokens
Prod.
 
Using, openbsd CURRENT , apache 1.3.26, as the example:
 
I add the following line to the httpd.conf file :

ServerTokens Prod
 
So, when I try to get the version/modules of apache with the HEAD
method, I obtain as a reply only the type of the server :
 
 HEAD / HTTP/1.0\r\n\r\n
 
[info]
Server: Apache
[info]
 
But , when I enable mod_auth and try to access the protected directory
with an invalid username / password, I obtain the following errror : 
 
401 Authorization Required
[bleh bleh info]
Apache/1.3.26 Server at xxxxx Port 80
 
Giving me the version of the apache server.
 
I'm not an apache guru, but from from my point of view this seems to
be a   flaw(?) in the mod_auth module.

Comments appreciated.
 
Best Regards.

--  Hector A. Paterno Digital Security Networks S.A.  Mail :
apaterno@dsnargentina.com.ar Fido : 4:901/343.5 pub  1024D/C1F2348C
2001-12-04 Hector A. Paterno <apaterno@dsnargentina.com.ar> Key
Fingerprint : D741 154E 5CA0 C446 1A7B 4750 0469 0BEB C1F2 348C Key
ID : 0xC1F2348C ( pgp.mit.edu )
(73520) /Hector A. Paterno <apaterno@dsnargentina.com.ar>/(Ombruten)
73521 2002-08-20  02:10  /31 rader/ Jacques A. Vidrine <nectar@FreeBSD.org>
Importerad: 2002-08-20  02:10  av Brevbäraren
Extern mottagare: dvdman <dvdman@l33tsecurity.com>
Mottagare: Bugtraq (import) <1177>
Ärende: Re: Freebsd FD exploit
------------------------------------------------------------
On Sun, Aug 18, 2002 at 09:01:13PM -0400, dvdman wrote:
> /* Proof Of Concept exploit for the Freebsd file descriptors bug. Freebsd 
> thought they fixed this months ago well guess again :P Thanks to the 
> Freebsd kernel you may now enjoy local root on all freebsd <=4.6 ;) */
[...]
> And Freebsd thought they fixed this :P

Well, it _is_ fixed, as of July 30.


[...]
> thanks Georgi Guninski for ideas
[...]
> Several months ago Joost Pol <joost@pine.nl> made public almost the same
> problem. FreeBSD fixed it, but the patch does not cover all the cases.
[...]
> PROOF:
> [dvdman@xxxx:~]$ uname -a
> FreeBSD xxx.xx 4.6-STABLE FreeBSD 4.6-STABLE #1: Sat Jul27 20:16:20 GMT 2002     dvdman@xxxx:/usr/obj/usr/src/sys/xxx  i386

Yes, there was a case missed.  Georgi caught it and let us know about
it (thanks, Georgi!), and it was repaired around 2002-07-30 15:40:46
UTC in all branches.  We released an updated advisory around then, as
well.

Cheers,
-- 
Jacques A. Vidrine <n@nectar.cc>                 http://www.nectar.cc/
NTT/Verio SME          .     FreeBSD UNIX     .       Heimdal Kerberos
jvidrine@verio.net     .  nectar@FreeBSD.org  .          nectar@kth.se
(73521) /Jacques A. Vidrine <nectar@FreeBSD.org>/---
73720 2002-08-22  17:30  /49 rader/ Alex Muntada <alexm+bugtraq@ac.upc.es>
Importerad: 2002-08-22  17:30  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <1208>
Ärende: Re: Information disclosure on mod_auth ( apache 1.3.26 ) ?
------------------------------------------------------------
Quoting Hector A. Paterno:

> I have found  a discrepancy between mod_auth and ServerTokens Prod.
>  
> Using, openbsd CURRENT , apache 1.3.26, as the example:
>  
> I add the following line to the httpd.conf file :
> 
> ServerTokens Prod
>  
> So, when I try to get the version/modules of apache with the HEAD
> method, I obtain as a reply only the type of the server :
>  
>  HEAD / HTTP/1.0\r\n\r\n
>  
> [info]
> Server: Apache
> [info]
>  
> But , when I enable mod_auth and try to access the protected directory
> with an invalid username / password, I obtain the following errror : 
>  
> 401 Authorization Required
> [bleh bleh info]
> Apache/1.3.26 Server at xxxxx Port 80
>  
> Giving me the version of the apache server.
>  
> I'm not an apache guru, but from from my point of view this seems to be a  
> flaw(?) in the mod_auth module.

Hector,
to disable apache server signature (it's on by default) you
should add this to your httpd.conf and restart apache:

  ServerSignature Off

The ServerTokens directive applies to HTTP Server response
header only. Take a look at apache manual for more details:

  http://httpd.apache.org/docs/mod/core.html#serversignature
  http://httpd.apache.org/docs/mod/core.html#servertokens

Best regards.

--
Alex Muntada <alexm at ac.upc.es>
http://people.ac.upc.es/alexm/
(73720) /Alex Muntada <alexm+bugtraq@ac.upc.es>/----