Vigil@nce: Apache httpd, SSI execution via IncludesNOEXEC
May 2009 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
A local attacker can create a .htaccess file in order to bypass
restrictions of IncludesNOEXEC.
Severity: 1/4
Consequences: privileged access/rights
Provenance: user account
Means of attack: 1 proof of concept
Ability of attacker: specialist (3/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 27/05/2009
IMPACTED PRODUCTS
– Apache httpd
– Red Hat Enterprise Linux
DESCRIPTION OF THE VULNERABILITY
The configuration file of Apache httpd can contain following
options:
– Includes : Server Side Includes are allowed
– IncludesNOEXEC : idem, except "#exec cmd" and "#exec cgi"
command which are dangerous
Since Apache httpd version 2.2, the AllowOverride directive can
restrict the list of options allowed to be changed in a .htaccess
file. For example:
AllowOverride Options=IncludesNOEXEC
In this case, only the IncludesNOEXEC option can be changed in a
.htaccess file.
However, due to a logic error, when AllowOverride indicates
"IncludesNOEXEC", the "Includes" option is also allowed.
An attacker can therefore enable the "Includes" option in a
.htaccess file in order to use "#exec cmd" and "#exec cgi"
commands.
CHARACTERISTICS
Identifiers: 489436, BID-35115, CVE-2009-1195, RHSA-2009:1075-01,
VIGILANCE-VUL-8741
http://vigilance.fr/vulnerability/Apache-httpd-SSI-execution-via-IncludesNOEXEC-8741