Topic: Apache Permission-Denial Bypass

[Tape]

When sending a CONNECT request with a specific pattern or an OPTIONS request, Apache will bypass "403 Permission Denied" and serve the root directory index.php output.

- It happens even though CONNECT is not in OPTIONS and not allowed.
- The index.php file must exist for the bypass to happen (otherwise "CONNECT a:1" and OPTIONS return "302 Found" as per .htaccess settings).
- If the index file isn't PHP, Apache will output "Method Not Allowed - The requested method CONNECT is not allowed for the URL /index.htm", or in the case of OPTIONS it will output only the headers but including the Allow header; both are still bypassing the 403.

Exploit:
In HTTP request header:
CONNECT a:1
CONNECT google.com:80 HTTP/1.1
CONNECT str:int<nothing or " any/any">
OPTIONS / HTTP/1.1

Confirmed on:
Apache/2.4.9 (Win64)

Config:
WAMP
Permissions set to deny everyone except set IP's via root .htaccess.

.htaccess:
ErrorDocument 404 /
<Limit GET POST>
order deny,allow
deny from all
allow from 127.0.0.1
allow from <SECONDIP>
</Limit>
<Limit PUT DELETE>
order deny,allow
deny from all
</Limit>
ErrorDocument 403 "http://<SECONDIP>/public/"

Fix:
<Limit PUT DELETE CONNECT OPTIONS>
order deny,allow
deny from all
</Limit>

Keep in mind:
- CONNECT is not allowed in the first place.
- OPTIONS return "302 Found" if the index doesn't exist (i.e. it is affacted by limits not reffering it directly), or it returns only the headers including the Allow headers (like it's normally supposed to) if eg. index.htm exists.
- OPTIONS is not meant to return the body, but it will if index.php exists.

I found out about this because I saw entries in the access log like:
61.228.90.59 - - [17/Nov/2015:22:10:10 0100] "CONNECT 163mx00.mxmail.netease.com:25 HTTP/1.0" 200 2829
141.212.122.96 - - [24/Nov/2015:00:21:35 0100] "CONNECT proxytest.zmap.io:80 HTTP/1.1" 200 2945
141.212.122.112 - - [25/Nov/2015:22:01:27 0100] "CONNECT proxytest.zmap.io:80 HTTP/1.1" 200 2946
111.248.101.180 - - [27/Nov/2015:09:06:18 0100] "CONNECT 163mx00.mxmail.netease.com:25 HTTP/1.0" 200 2832
111.248.103.196 - - [28/Nov/2015:06:27:28 0100] "CONNECT 126mx00.mxmail.netease.com:25 HTTP/1.0" 200 2831
141.212.122.128 - - [30/Nov/2015:19:02:27 0100] "CONNECT proxytest.zmap.io:80 HTTP/1.1" 200 2946
(skipped several)

[James Blond]

What is your question on this?

[Tape]

You might notice that I didn't include any question marks.

I posted to this category because, ironically, it's the closest to the topic at hand; basically it's a mitigation of the inherent incompetence of this forum.

Please move the threads to another category if you believe any other is better suiting (or create a "Vulnerabilities" [awareness/reports of in-the-wild vulnerabilities], "Apache Discussion" or "Unofficial Apache Documentation" category).

[glsmith]

I understood this to have no question, simply informative. It's in the right catagory as well. That said;

I wonder if this is a flaw in mod_access_compat. Can you duplicate this bypass without mod_access_compat loaded, thereby using just the Require directive (as that is 2.4's native style)?

For example;

Pre-2.4 style w/ mod_access_compat

[glsmith]

On second thought.

In your non-fixed example you do not Limit CONNECT or OPTIONS, so anything goes with those 2. Your fix just adds them along with PUT & DELETE.