10.11.07

0x000000 ◊ The Hacker Webzine

Apache Fun.


Good to know Apache, You might be wondering what I'm mumbling about, okay I will tell you. Anyone who ever played with Apache knows the standard error documents as defined in apache2.conf et al. What not everyone knows is that most versions of Apache have templates that the error documents include when a problem is found. These so called templates are the .html.var files and you can access them without restrictions. While that isn't a big security issue, you might want to consider this twice. In the pages you can find info about the webserver, sometimes path disclosure and almost always the webmaster's email address. It's fairly easy to write a script that visits these pages and collects these email addresses because all these pages are more or less the same. There are further directory traversals -or canonicalization issues- but those are present in 2.0.39 and previous 2.0.x and on Windows systems only.

Here is one for Mozilla:
http://www.mozilla.org/error/HTTP_VARIANT_ALSO_VARIES.html.var

Oh gosh I'm vulnerable too:
http://www.0x000000.com/error/HTTP_VARIANT_ALSO_VARIES.html.var

Not that I care that much, since it's not my email address. Still if you have access to your Apache configuration, and have a high profile website it would be a smart idea to turn this stuff off. And no, this is not a h4ck0r zerodayish thingy, it is pretty well known.

Here is why:
/error/HTTP_BAD_REQUEST.html.var

/error/HTTP_UNAUTHORIZED.html.var

/error/HTTP_FORBIDDEN.html.var

/error/HTTP_NOT_FOUND.html.var

/error/HTTP_METHOD_NOT_ALLOWED.html.var

/error/HTTP_REQUEST_TIME_OUT.html.var

/error/HTTP_GONE.html.var

/error/HTTP_LENGTH_REQUIRED.html.var

/error/HTTP_PRECONDITION_FAILED.html.var

/error/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var

/error/HTTP_REQUEST_URI_TOO_LARGE.html.var

/error/HTTP_UNSUPPORTED_MEDIA_TYPE.html.var

/error/HTTP_INTERNAL_SERVER_ERROR.html.var 

/error/HTTP_NOT_IMPLEMENTED.html.var

/error/HTTP_BAD_GATEWAY.html.var

/error/HTTP_SERVICE_UNAVAILABLE.html.var

/error/HTTP_VARIANT_ALSO_VARIES.html.var

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)