Apache Webserver Vulnerability on Mac OS X Client

vendor:

Webserver

by:

SecurityFocus

7.5

CVSS

HIGH

Case Sensitivity Issue

CWE

Product Name: Webserver

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Mac OS X

2002

Apache Webserver Vulnerability on Mac OS X Client

When Apache webserver is used with Mac OS X Client, the standard filesystem for Mac OS X is HFS+ which is case insensitive while Apache's filtering is case sensitive. This results in Apache filtering all file requests that match filters exactly (including case), but not filtering requests made with mixed or upper case characters. This allows unprivileged remote users to access arbitrary privileged files.

Mitigation:

Ensure that Apache webserver is configured to use case-sensitive file system.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/2852/info

A vulnerability exists when Apache webserver is used with Mac OS X Client.

The standard filesystem for Mac OS X is HFS+. HFS+ is case insensitive while Apache's filtering is case sensitive. The result is that Apache will filter all file requests that match filters exactly (including case), but it will not filter requests made with mixed or upper case characters. Since HFS+ is case insensitive, these requests will result in the "filtered" files being disclosed.

The impact is that arbitrary privileged files may be disclosed to unprivileged remote users. 

The following request will result in a 403 Forbidden as excpected:

GET /test/index.html

But the following request will happily serve the file:

GET /TeSt/index.html