on cygwin environment, any files can be retrieved by malicious users Apache 1.3.24 (cygwin default version) vulnerability http://[server]/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cboot.ini http://[server]/..%5C..%5C..%5C..%5C..%5C..%5C/boot.ini Apache 1.3.29 and 2.0.48 (source compile version) vulnerability http://[server]/..%5C..%5C..%5C..%5C..%5C..%5C/boot.ini cf. http://cert.uni-stuttgart.de/archive/bugtraq/2002/08/msg00241.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0661
confirmed by the cygwin platform maintainer. Analyzing code and sending patches to the dev@ list. Please pull any "production level" servers running on the cygwin 1.x platform from operations. Stipe
Created attachment 10222 [details] patch to fix serious security hole in cygwin platform
the attched patch implements an cygwin specific as_os_canonical_filename() within src/os/cygwin/util_cygwin.c to map backslashes (that unfortunatly are interpreted by the cygwin os layer) to slashes. This allows the later security holders to grap within the directory_walk() and file_walk() routines. Please review and apply. Update bug to fixed then. stipe
Apache HTTP Server 1.3.x is not supported anymore and no bugs will be fixed in the old codebase (cf. <http://mail-archives.apache.org/mod_mbox/httpd-announce/201002.mbox/%3C20100203000334.GA19021@infiltrator.stdlib.net%3E>). Since this bug seems to affect only 1.3.x, I'm closing it as WONTFIX. If this bug still affects you in a recent version (version 2.2.x or the upcoming version 2.4), please open a new bug. Thank you for reporting the bug.