Opened 7 years ago

Last modified 22 months ago

#38452 assigned defect

Information disclosure vulnerability with apache2 and other web servers

Reported by: vikingjs@… Owned by: ryandesign (Ryan Schmidt)
Priority: High Milestone:
Component: ports Version: 2.1.3
Keywords: Cc: cooljeanius (Eric Gallager), neverpanic (Clemens Lang), mp@…, Schamschula (Marius Schamschula), pixilla (Bradley Giesbrecht)
Port: apache2

Description

Apple has identified a critical security issue that allows attackers to see the source code of Web pages. It is outlined here: http://packetstormsecurity.com/files/120820/Apple-Security-Advisory-2013-03-14-1.html. In summary, Passuing a url like: http://mydomain.com/index.p%E2%80%8Chp will dump the php of the file raw, rather than executing it on the server.

I have fixed the issue on my local machines by copying mod_hfs_apple.so from its preinstalled location (after updating MacOS), and adding an entry in https.conf to load that module.

Change History (16)

comment:1 Changed 7 years ago by danielluke (Daniel J. Luke)

I would be nice to have a macports port of mod_hfs_apple (probably from here http://opensource.apple.com/source/apache_mod_hfs_apple/) I'm not sure if the latest version there (11) has the fix for CVE-2013-0966, though.

comment:2 Changed 7 years ago by cooljeanius (Eric Gallager)

Generally security issues get "high" priority, don't they?

comment:3 Changed 7 years ago by cooljeanius (Eric Gallager)

Cc: egall@… added

Cc Me!

comment:4 Changed 7 years ago by ryandesign (Ryan Schmidt)

Cc: ryandesign@… added

apache2 is my port but I'm unsure what action you want us to take. apache2 is already at the latest 2.2.x version. (The request to update to 2.4.x is #35824.)

comment:5 Changed 7 years ago by mf2k (Frank Schima)

It seems this is an issue with Apple's Apache 2, not the Macports one.

comment:6 Changed 7 years ago by ryandesign (Ryan Schmidt)

Priority: NormalHigh
Summary: Apache on HFS Critical Security IssuePHP code disclosure vulnerability with apache2 and other web servers

I am able to reproduce the issue with MacPorts apache2 @2.2.4 and php55-apache2handler @5.5.0alpha6, and also with lighttpd @1.4.32 and php55-fcgi @5.5.0alpha6. I have not tested other web servers or PHP versions. I need to see upstream apache / lighttpd / php bug reports to determine what we should do to fix it.

comment:7 Changed 7 years ago by ryandesign (Ryan Schmidt)

I have a feeling it's the web server's responsibility to fix this, not PHP's. I've emailed the developer of lighttpd about this and will now look into apache.

comment:8 Changed 7 years ago by vikingjs@…

Note that the specific exploit I provided exposed php code, but the hole is by no means limited to php. The exploit can be used to reveal any server-side scripting. A port of mod_hfs_apple seems like the most universal solution, if it's feasible.

comment:9 Changed 7 years ago by ryandesign (Ryan Schmidt)

Cc: cal@… added
Summary: PHP code disclosure vulnerability with apache2 and other web serversInformation disclosure vulnerability with apache2 and other web servers

Yes I realize that.

I have reported the problem to the Apache security list now too.

Porting mod_hfs_apple would perhaps help Apache but I don't think we should have to do that; the Apache developers should give us a secure web server out of the box. Also it would not help lighttpd. I have not tested nginx or other web servers.

comment:10 in reply to:  9 ; Changed 7 years ago by cooljeanius (Eric Gallager)

Replying to ryandesign@…:

Yes I realize that.

I have reported the problem to the Apache security list now too.

Porting mod_hfs_apple would perhaps help Apache but I don't think we should have to do that; the Apache developers should give us a secure web server out of the box.

I agree that Apache should provide a secure web server out of the box but I think we should port mod_hfs_apple anyway, regardless of this issue.

Last edited 7 years ago by cooljeanius (Eric Gallager) (previous) (diff)

comment:11 in reply to:  10 ; Changed 7 years ago by ryandesign (Ryan Schmidt)

Replying to dluke@…:

I would be nice to have a macports port of mod_hfs_apple (probably from here http://opensource.apple.com/source/apache_mod_hfs_apple/) I'm not sure if the latest version there (11) has the fix for CVE-2013-0966, though.

I doubt it since it was last modified in 2011.

Replying to egall@…:

I agree that Apache should provide a secure web server out of the box but I think we should port mod_hfs_apple anyway, regardless of this issue.

Let's have a separate ticket for that.

comment:12 in reply to:  11 ; Changed 7 years ago by cooljeanius (Eric Gallager)

Replying to ryandesign@…:

Replying to egall@…:

I agree that Apache should provide a secure web server out of the box but I think we should port mod_hfs_apple anyway, regardless of this issue.

Let's have a separate ticket for that.

OK: #38461

comment:13 in reply to:  12 Changed 7 years ago by mp@…

Replying to egall@…:

Replying to ryandesign@…:

Replying to egall@…:

I agree that Apache should provide a secure web server out of the box but I think we should port mod_hfs_apple anyway, regardless of this issue.

Let's have a separate ticket for that.

OK: #38461

A solution is presented in comment:ticket:38461:7
For now it's only been tested on Tiger, but it should work on all OS X versions. Anyone willing to test is most welcome.

Last edited 7 years ago by ryandesign (Ryan Schmidt) (previous) (diff)

comment:14 Changed 7 years ago by mp@…

Cc: mp@… added

Cc Me!

comment:15 Changed 3 years ago by jmroot (Joshua Root)

Cc: Schamschula pixilla added

comment:16 Changed 22 months ago by mf2k (Frank Schima)

Cc: ryandesign removed
Owner: changed from macports-tickets@… to ryandesign
Status: newassigned

Is this still an issue?

Note: See TracTickets for help on using tickets.