Bug#572075: apache2-common: standard apache2.conf is insecure with respect to Satisfy any

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#572075: apache2-common: standard apache2.conf is insecure with respect to Satisfy any
From: Heiko Schlittermann <hs@schlittermann.de>
Date: Mon, 01 Mar 2010 14:20:12 +0100
Message-id: <[🔎] 20100301132012.20935.10811.reportbug@pc67.site>
Reply-to: Heiko Schlittermann <hs@schlittermann.de>, 572075@bugs.debian.org

Package: apache2.2-common
Version: 2.2.9-10+lenny6
Severity: important
Tags: patch


The apache2.conf contains 

	<Files ~ "^\.ht">
	    Order allow,deny
	    Deny from all
	</Files>

If in some other part of the configuration file (e.g. 
inside some virtual host configuration) the
AuthType, ... Required ... directives *and* "Satisfy any"
is used, it seems to apply to the above mentioned <Files>...
too. Thus *any* authenticated user may access the .ht* files.

I consider this as a serious security issue.
Adding "Satisfy all" to the above block would solve this and
should not harm otherwise.

-- System Information:
Debian Release: 5.0.4
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-2-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Reply to:

Follow-Ups:
- Bug#572075: marked as done (apache2-common: standard apache2.conf is insecure with respect to Satisfy any)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Sulik.sk - Nechceme zavadzat skolne, drogy su svinstvo a program nepisal saman
Next by Date: Voar com a Tap é fácil e barato! Tap Low Cost, veja as promoções
Previous by thread: Sulik.sk - Nechceme zavadzat skolne, drogy su svinstvo a program nepisal saman
Next by thread: Bug#572075: marked as done (apache2-common: standard apache2.conf is insecure with respect to Satisfy any)
Index(es):
- Date
- Thread