[MacPorts] #38452: Apache on HFS Critical Security Issue
#38452: Apache on HFS Critical Security Issue ------------------------+-------------------------------- Reporter: vikingjs@… | Owner: macports-tickets@… Type: defect | Status: new Priority: Normal | Milestone: Component: ports | Version: 2.1.3 Keywords: | Port: apache2 ------------------------+-------------------------------- Apple has identified a critical security issue that allows attackers to see the source code of Web pages. It is outlined here: [http://packetstormsecurity.com/files/120820/Apple-Security- Advisory-2013-03-14-1.html]. In summary, Passuing a url like: `http://mydomain.com/index.p%E2%80%8Chp` will dump the php of the file raw, rather than executing it on the server. I have fixed the issue on my local machines by copying mod_hfs_apple.so from its preinstalled location (after updating MacOS), and adding an entry in https.conf to load that module. -- Ticket URL: <https://trac.macports.org/ticket/38452> MacPorts <http://www.macports.org/> Ports system for OS X
#38452: Apache on HFS Critical Security Issue -------------------------+-------------------------------- Reporter: vikingjs@… | Owner: macports-tickets@… Type: defect | Status: new Priority: Normal | Milestone: Component: ports | Version: 2.1.3 Resolution: | Keywords: Port: apache2 | -------------------------+-------------------------------- Comment (by dluke@…): I would be nice to have a macports port of mod_hfs_apple (probably from here http://opensource.apple.com/source/apache_mod_hfs_apple/) I'm not sure if the latest version there (11) has the fix for CVE-2013-0966, though. -- Ticket URL: <https://trac.macports.org/ticket/38452#comment:1> MacPorts <http://www.macports.org/> Ports system for OS X
#38452: Apache on HFS Critical Security Issue -------------------------+-------------------------------- Reporter: vikingjs@… | Owner: macports-tickets@… Type: defect | Status: new Priority: Normal | Milestone: Component: ports | Version: 2.1.3 Resolution: | Keywords: Port: apache2 | -------------------------+-------------------------------- Comment (by egall@…): Generally security issues get "high" priority, don't they? -- Ticket URL: <https://trac.macports.org/ticket/38452#comment:2> MacPorts <http://www.macports.org/> Ports system for OS X
#38452: Apache on HFS Critical Security Issue -------------------------+-------------------------------- Reporter: vikingjs@… | Owner: macports-tickets@… Type: defect | Status: new Priority: Normal | Milestone: Component: ports | Version: 2.1.3 Resolution: | Keywords: Port: apache2 | -------------------------+-------------------------------- Changes (by ryandesign@…): * cc: ryandesign@… (added) Comment: apache2 is my port but I'm unsure what action you want us to take. apache2 is already at the latest 2.2.x version. (The request to update to 2.4.x is #35824.) -- Ticket URL: <https://trac.macports.org/ticket/38452#comment:4> MacPorts <http://www.macports.org/> Ports system for OS X
#38452: Apache on HFS Critical Security Issue -------------------------+-------------------------------- Reporter: vikingjs@… | Owner: macports-tickets@… Type: defect | Status: new Priority: Normal | Milestone: Component: ports | Version: 2.1.3 Resolution: | Keywords: Port: apache2 | -------------------------+-------------------------------- Comment (by macsforever2000@…): It seems this is an issue with Apple's Apache 2, not the Macports one. -- Ticket URL: <https://trac.macports.org/ticket/38452#comment:5> MacPorts <http://www.macports.org/> Ports system for OS X
#38452: PHP code disclosure vulnerability with apache2 and other web servers -------------------------+-------------------------------- Reporter: vikingjs@… | Owner: macports-tickets@… Type: defect | Status: new Priority: High | Milestone: Component: ports | Version: 2.1.3 Resolution: | Keywords: Port: apache2 | -------------------------+-------------------------------- Changes (by ryandesign@…): * priority: Normal => High Comment: I am able to reproduce the issue with MacPorts apache2 @2.2.4 and php55-apache2handler @5.5.0alpha6, and also with lighttpd @1.4.32 and php55-fcgi @5.5.0alpha6. I have not tested other web servers or PHP versions. I need to see upstream apache / lighttpd / php bug reports to determine what we should do to fix it. -- Ticket URL: <https://trac.macports.org/ticket/38452#comment:6> MacPorts <http://www.macports.org/> Ports system for OS X
On Mar 20, 2013, at 12:34 PM, MacPorts wrote:
#38452: PHP code disclosure vulnerability with apache2 and other web servers
I am able to reproduce the issue with MacPorts apache2 @2.2.4 and php55-apache2handler @5.5.0alpha6, and also with lighttpd @1.4.32 and php55-fcgi @5.5.0alpha6. I have not tested other web servers or PHP versions. I need to see upstream apache / lighttpd / php bug reports to determine what we should do to fix it.
Macport Trac appears to be offline. If you have mod_rewrite available this appears to work around the problem for me: ... RewriteCond %{SCRIPT_FILENAME} .+\.p.+hp$ [NC] RewriteRule ^(.*)$ http://%{HTTP_HOST} [L,QSA] ... I came up with this myself and the testing is very limited. I'm not that proficient with mod_rewrite rules, does someone have a better match then ".+\.p.+hp$"? Regards, Bradley Giesbrecht (pixilla)
#38452: PHP code disclosure vulnerability with apache2 and other web servers -------------------------+-------------------------------- Reporter: vikingjs@… | Owner: macports-tickets@… Type: defect | Status: new Priority: High | Milestone: Component: ports | Version: 2.1.3 Resolution: | Keywords: Port: apache2 | -------------------------+-------------------------------- Comment (by ryandesign@…): I have a feeling it's the web server's responsibility to fix this, not PHP's. I've emailed the developer of lighttpd about this and will now look into apache. -- Ticket URL: <https://trac.macports.org/ticket/38452#comment:7> MacPorts <http://www.macports.org/> Ports system for OS X
#38452: PHP code disclosure vulnerability with apache2 and other web servers -------------------------+-------------------------------- Reporter: vikingjs@… | Owner: macports-tickets@… Type: defect | Status: new Priority: High | Milestone: Component: ports | Version: 2.1.3 Resolution: | Keywords: Port: apache2 | -------------------------+-------------------------------- Comment (by vikingjs@…): Note that the specific exploit I provided exposed php code, but the hole is by no means limited to php. The exploit can be used to reveal any server-side scripting. A port of mod_hfs_apple seems like the most universal solution, if it's feasible. -- Ticket URL: <https://trac.macports.org/ticket/38452#comment:8> MacPorts <http://www.macports.org/> Ports system for OS X
#38452: Information disclosure vulnerability with apache2 and other web servers -------------------------+-------------------------------- Reporter: vikingjs@… | Owner: macports-tickets@… Type: defect | Status: new Priority: High | Milestone: Component: ports | Version: 2.1.3 Resolution: | Keywords: Port: apache2 | -------------------------+-------------------------------- Changes (by ryandesign@…): * cc: cal@… (added) Comment: Yes I realize that. I have reported the problem to the Apache security list now too. Porting mod_hfs_apple would perhaps help Apache but I don't think we should have to do that; the Apache developers should give us a secure web server out of the box. Also it would not help lighttpd. I have not tested nginx or other web servers. -- Ticket URL: <https://trac.macports.org/ticket/38452#comment:9> MacPorts <http://www.macports.org/> Ports system for OS X
#38452: Information disclosure vulnerability with apache2 and other web servers -------------------------+-------------------------------- Reporter: vikingjs@… | Owner: macports-tickets@… Type: defect | Status: new Priority: High | Milestone: Component: ports | Version: 2.1.3 Resolution: | Keywords: Port: apache2 | -------------------------+-------------------------------- Comment (by egall@…): Replying to [comment:9 ryandesign@…]:
Yes I realize that.
I have reported the problem to the Apache security list now too.
Porting mod_hfs_apple would perhaps help Apache but I don't think we should have to do that; the Apache developers should give us a secure web server out of the box.
I agree that Apache should provide a secure web server out of the box but I think we should port mod_mfs_apple anyway, regardless of this issue. -- Ticket URL: <https://trac.macports.org/ticket/38452#comment:10> MacPorts <http://www.macports.org/> Ports system for OS X
#38452: Information disclosure vulnerability with apache2 and other web servers -------------------------+-------------------------------- Reporter: vikingjs@… | Owner: macports-tickets@… Type: defect | Status: new Priority: High | Milestone: Component: ports | Version: 2.1.3 Resolution: | Keywords: Port: apache2 | -------------------------+-------------------------------- Comment (by ryandesign@…): Replying to [comment:1 dluke@…]:
I would be nice to have a macports port of mod_hfs_apple (probably from here http://opensource.apple.com/source/apache_mod_hfs_apple/) I'm not sure if the latest version there (11) has the fix for CVE-2013-0966, though.
I doubt it since it was last modified in 2011. Replying to [comment:10 egall@…]:
I agree that Apache should provide a secure web server out of the box but I think we should port mod_hfs_apple anyway, regardless of this issue.
Let's have a separate ticket for that. -- Ticket URL: <https://trac.macports.org/ticket/38452#comment:11> MacPorts <http://www.macports.org/> Ports system for OS X
#38452: Information disclosure vulnerability with apache2 and other web servers -------------------------+-------------------------------- Reporter: vikingjs@… | Owner: macports-tickets@… Type: defect | Status: new Priority: High | Milestone: Component: ports | Version: 2.1.3 Resolution: | Keywords: Port: apache2 | -------------------------+-------------------------------- Comment (by egall@…): Replying to [comment:11 ryandesign@…]:
Replying to [comment:10 egall@…]:
I agree that Apache should provide a secure web server out of the box but I think we should port mod_hfs_apple anyway, regardless of this issue.
Let's have a separate ticket for that.
OK: #38461 -- Ticket URL: <https://trac.macports.org/ticket/38452#comment:12> MacPorts <http://www.macports.org/> Ports system for OS X
#38452: Information disclosure vulnerability with apache2 and other web servers -------------------------+-------------------------------- Reporter: vikingjs@… | Owner: macports-tickets@… Type: defect | Status: new Priority: High | Milestone: Component: ports | Version: 2.1.3 Resolution: | Keywords: Port: apache2 | -------------------------+-------------------------------- Comment (by mp@…): Replying to [comment:12 egall@…]:
Replying to [comment:11 ryandesign@…]:
Replying to [comment:10 egall@…]:
I agree that Apache should provide a secure web server out of the box but I think we should port mod_hfs_apple anyway, regardless of this issue.
Let's have a separate ticket for that.
OK: #38461
A solution is presented in https://trac.macports.org/ticket/38461#comment:7 \\ For now it's only been tested on Tiger, but it should work on all OS X versions. Anyone willing to test is most welcome. -- Ticket URL: <https://trac.macports.org/ticket/38452#comment:13> MacPorts <http://www.macports.org/> Ports system for OS X
participants (2)
-
Bradley Giesbrecht
-
MacPorts