Public Vulnerability Reports

PHP/Apache .htaccess Authentication Bypass Vulnerability

06.25.03

BACKGROUND

PHP is an open source, server-side, HTML embedded scripting language used to create dynamic Web pages.

Apache is an open source Web server.

DESCRIPTION

A remotely exploitable access validation error has been confirmed in Apache Software Foundation's HTTP Server when used with PHP. The <Limit> directive provided in the core functionality of Apache is used to prevent certain request methods from being used on particular files or directories. For example, the directive

<Directory "/webroot">
<Limit POST>
Order deny,allow
deny from all
</Limit>
</Directory>

should prevent any user from using the 'POST' method to access files in the /webroot directory. If an attacker tries to 'POST' to an HTML file in this directory, the webserver will respond with a 403 Forbidden error. Apache treats all of these requests as case-sensitive, so a request specifying 'Post' as the method will generate a 501 method not implemented error. However, PHP does not treat the method as being case-sensitive. A request for a PHP file in the same protected directory using the 'Post' method will cause the script to be executed normally.

ANALYSIS

This problem occurs as a result of a communication error in the interaction between Apache and PHP. By default, only .php and .php3 files are handled by the PHP engine, but modifying the AddType directive for PHP may allow other file types, including .htm, .html and .cgi files to be handled by PHP. Exploitation allows an attacker to access any file processed by PHP that should be protected by the <Limit> directive. This directive may be included in .htaccess access restriction files or in the httpd.conf configuration file. This vulnerability may be especially dangerous if <Limit> is used to protect administration pages

iDEFENSE has proof of concept exploit code demonstrating the impact of this vulnerability.

DETECTION

Apache HTTP Server versions 1.3.27 and 2.0.46 for Linux are confirmed vulnerable when used with PHP version 4.3.2. The apache2handler SAPI module was enabled as well.

WORKAROUND

Avoid using the <Limit> directive anywhere that PHP will be used. Instead, users should utilize the <LimitExcept> directive to specify allowable methods. Use of &lt;LimitExcept&gt; will ensure that only uppercase methods are allowed.

VENDOR RESPONSE

No vendor fix is currently available.

CVE INFORMATION

A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned to this issue.

DISCLOSURE TIMELINE

06/01/2003   Exploit acquired by iDEFENSE
06/02/2003   Initial vendor notification
06/11/2003   iDEFENSE Clients notified
06/25/2003   Public Disclosure

CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

LEGAL NOTICES

Copyright © 2004 Verisign, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.