Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: Apache Permission-Denial Bypass (2nd) |
|
| Author |
|
Tape
Joined: 30 Nov 2015
Posts: 3
|
 Posted: Sat 26 Mar '16 23:37 Post subject: Apache Permission-Denial Bypass (2nd) |
 |
|
When sending a specifically crafted request, Apache will bypass "403 Permission Denied" and serve the root directory index.php output.
Exploit:
In HTTP request header:
x8dxfb?drx04xc0x9bxf7x7fxc8x1axc7JZxc2
Confirmed on:
Apache/2.4.9 (Win64)
Config:
WAMP
Permissions set to deny everyone except set IP's via root .htaccess.
.htaccess:
ErrorDocument 404 /
<Limit GET POST>
order deny,allow
deny from all
allow from 127.0.0.1
allow from <FIRSTIP>
</Limit>
<Limit PUT DELETE CONNECT OPTIONS>
order deny,allow
deny from all
</Limit>
ErrorDocument 403 "http://<SECONDIP>/public /"
I found out about this because I saw entries in the access log like:
169.229.3.91 - - [26/Mar/2016:09:17:55 0100] "x8dxfb?drx04xc0x9bxf7x7fxc8x1axc7JZxc2" 200 2776 |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7298
Location: Germany, Next to Hamburg
|
| Posted: Tue 29 Mar '16 10:25 Post subject: |
|
|
| What is your question? |
|
| Back to top |
|
covener
Joined: 23 Nov 2008
Posts: 55
|
| Posted: Wed 30 Mar '16 3:18 Post subject: |
|
|
| It's interpreted as an unknown method that PHP might understand. It's not covered by any access control requirements. One of the many ways to misuse Limit carelessly. |
|
| Back to top |
|
|
|
|
|
|
