Bug#171487: marked as done (Error in <Location> can affect other access controls)

To: Thom May <thom@debian.org>
Cc: Debian Apache Maintainers <debian-apache@lists.debian.org>
Subject: Bug#171487: marked as done (Error in <Location> can affect other access controls)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Sun, 29 Feb 2004 11:48:16 -0800
Message-id: <[🔎] handler.171487.D171487.10780833874660.ackdone@bugs.debian.org>
In-reply-to: <20040229193625.GH27645@mirror.positive-internet.com>
References: <20040229193625.GH27645@mirror.positive-internet.com> <E18IyTn-0000Ox-00@math.lsu.edu>

Your message dated Sun, 29 Feb 2004 19:36:25 +0000
with message-id <20040229193625.GH27645@mirror.positive-internet.com>
and subject line This is user error
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 2 Dec 2002 21:51:55 +0000
>From zed@math.lsu.edu Mon Dec 02 15:51:55 2002
Return-path: <zed@math.lsu.edu>
Received: from math.lsu.edu [130.39.168.55] (mail)
	by master.debian.org with esmtp (Exim 3.12 1 (Debian))
	id 18IyTr-0006CI-00; Mon, 02 Dec 2002 15:51:55 -0600
Received: from zed by math.lsu.edu with local (Exim 3.35 #1 (Debian))
	id 18IyTn-0000Ox-00; Mon, 02 Dec 2002 15:51:51 -0600
From: Zed Pobre <zed@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: apache: .htaccess not being honored (or even read in some cases)
X-Mailer: reportbug 1.50
Date: Mon, 02 Dec 2002 15:51:51 -0600
Message-Id: <E18IyTn-0000Ox-00@math.lsu.edu>
Sender: Zed Pobre <zed@math.lsu.edu>
Delivered-To: submit@bugs.debian.org
X-Spam-Status: No, hits=1.8 required=5.0
	tests=HOT_NASTY,SPAM_PHRASE_01_02
	version=2.41
X-Spam-Level: *

Package: apache
Version: 1.3.26-1.1
Severity: grave
Tags: security
Justification: user security hole

You may have to slap me if I'm missing something, but I can't see it
if I am.

I have:

#
# AccessFileName: The name of the file to look for in each directory
# for access control information.
#
AccessFileName .htaccess

#
# The following lines prevent .htaccess files from being viewed by
# Web clients.  Since .htaccess files often contain authorization
# information, access is disallowed for security reasons.  Comment
# these lines out if you want Web visitors to see the contents of
# .htaccess files.  If you change the AccessFileName directive above,
# be sure to make the corresponding changes here.
#
# Also, folks tend to use names such as .htpasswd for password
# files, so this will protect those as well.
#
<Files ~ "^\.ht">
    Order allow,deny
    Deny from all
</Files>

in /etc/apache/httpd.conf, and:

   Order deny,allow
   Deny from all
   allow from xxx.xxx.xxx. 
   allow from xxx.xxx.yyy.

in .htaccess in /var/www/directory,

but have just confirmed that I can not only see
http://oursite.com/directory from outside the specified ranges, but
even the http://oursite.com/directory/.htaccess file itself.  I'm
reasonably certain that at some point in the past (about two months
ago, according to our webmaster) these exact configuration lines were
working, and now they aren't.  On top of this, I put a .htaccess file
in a user public_html directory that seems not to have been read at
all -- when I cloned that directory to /var/www/user, and tried
http://oursite.com/user, the following showed up in the error.log:

[Mon Dec  2 15:16:08 2002] [alert] [client xxx.xxx.xxx.xxx] /var/www/user/.htaccess: AddType not allowed here

This is something that did not happen when I was viewing it as
http://oursite.com/~user.

Relevant Directory entries:

<Directory />
    Options SymLinksIfOwnerMatch
    AllowOverride None
</Directory>

<Directory /var/www/>
    Options Indexes Includes FollowSymLinks MultiViews
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>

<IfModule mod_userdir.c>
    UserDir public_html
</IfModule>

<Directory /home/*/public_html>
    AllowOverride FileInfo AuthConfig Limit
    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
    <Limit GET POST OPTIONS PROPFIND>
        Order allow,deny
        Allow from all
    </Limit>
    <Limit PUT DELETE PATCH PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>
        Order deny,allow
        Deny from all
    </Limit>
</Directory>

Somehow, .htaccess has stopped working properly here, and a lot of our
data is now exposed.  If you can quickly point me to something I did
wrong, I'll cheerfully apologize for bugging you (it seems odd that
I'm the first person to notice this), but right now it seems that our
apache packages have a major hole in them.

-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux erdos 2.4.19.erdos #1 SMP Mon Oct 21 12:38:15 CDT 2002 i686
Locale: LANG=en_US, LC_CTYPE=en_US

Versions of packages apache depends on:
ii  apache-common                1.3.26-1.1  Support files for all Apache webse
ii  dpkg                         1.9.21      Package maintenance system for Deb
ii  libc6                        2.3.1-4     GNU C Library: Shared libraries an
ii  libdb2                       2:2.7.7.0-7 The Berkeley database routines (ru
ii  libexpat1                    1.95.2-6    XML parsing C library - runtime li
ii  logrotate                    3.5.9-8     Log rotation utility
ii  mime-support                 3.18-1      MIME files 'mime.types' & 'mailcap
ii  perl                         5.8.0-13    Larry Wall's Practical Extraction 
ii  perl [perl5]                 5.8.0-13    Larry Wall's Practical Extraction 


---------------------------------------
Received: (at 171487-done) by bugs.debian.org; 29 Feb 2004 19:36:27 +0000
>From thom@debian.org Sun Feb 29 11:36:27 2004
Return-path: <thom@debian.org>
Received: from mirror.positive-internet.com [80.87.128.67] (postfix)
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1AxWji-0001Cz-00; Sun, 29 Feb 2004 11:36:27 -0800
Received: by mirror.positive-internet.com (Postfix, from userid 1002)
	id D4212432FA; Sun, 29 Feb 2004 19:36:25 +0000 (GMT)
Date: Sun, 29 Feb 2004 19:36:25 +0000
From: Thom May <thom@debian.org>
To: 171487-done@bugs.debian.org
Subject: This is user error
Message-ID: <20040229193625.GH27645@mirror.positive-internet.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
X-Operating-System: Linux/2.6.2-1-686 (i686)
User-Agent: Mutt/1.5.5.1+cvs20040105i
Delivered-To: 171487-done@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_02_27 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=0.0 required=4.0 tests=none autolearn=no 
	version=2.60-bugs.debian.org_2004_02_27
X-Spam-Level: 

This appears to be user error.
-Thom

Reply to:

Prev by Date: Bug#222151: This should be fixed now
Next by Date: Bug#113067: marked as done (apache: build using libmm11 (EAPI_MM) library)
Previous by thread: Bug#222151: This should be fixed now
Next by thread: Bug#113067: marked as done (apache: build using libmm11 (EAPI_MM) library)
Index(es):
- Date
- Thread