Icy Phoenix


Post new topic  Reply to topic 
Page 1 of 1
Reply with quote Download Post
Post Use "Limit GET POST" 
MG, did u know that use "Limit GET POST" is bad for security reason ?
You have to delete ALL limit GET POST from .htaccess.
  • Google translation
    Vulnerability in Apache: the Bypass. Htaccess with "Limit GET POST"
    26 February 2008 - 15:10 Last weekend, I received a phone call from a friend (Geo). Register that he had managed to circumvent it. Htaccess file that I placed to secure the area admin Ghosts In The Stack. Puzzled, I asked him how he had done ... and it turns out that this would be the Apache, which tends to run queries that does not include as GET requests. Regarding other web servers, I could not test because I have no other at hand. Here are some things to understand how to take advantage of the flaw and how to avoid getting it.
    Mise en évidence de la faille
    Suppose we have a local Apache server and that we have a page index.php very simple like this:

    <h1> Hello </ h1> To access the page, we access the URL ~ trance / vuln / with a Web browser. The query is roughly as follows:

    GET ~ trance / vuln / HTTP/1.1
    Host: response received contains the HTML code of the web page. So far, everything is normal: Apache has only interpreted the GET request being sent. Now imagine that we send a malformed request that is not of type GET, such as:

    n1Mp0rTeKwa ~ trance / vuln / HTTP/1.1
    Host: there, we see that Apache is absolutely no difference between this and the previous request! There is no error, it returns the same thing. At first glance, this does not necessarily shocking, but it is fast enough that you can take advantage of this vulnerability to bypass certain protections. Htaccess.

    Circumvent the "Limit GET POST"
    In many cases, a webmaster may wish to restrict access to a file or a folder on its website. To do this, it puts the files. Htaccess. These files locally alter the configuration of Apache and use a certain syntax that allows you to do things quite powerful. The description of this syntax is known, and many Web sites illustrated. Some propose a simple solution to protect access to a file with a password. Simply, they said, to create one. Htaccess in this model:

    <Files FichierAProteger.php>

    AuthUserFile / path / to / .htpasswd
    AuthName "Restricted Area"
    AuthType Basic
         GET <Limit POST>
         require valid-user
         </ Limit>
    </ Files> This file can tell Apache to reject any GET or POST request if the user is not identified with a login and password that appears in the file. Htpasswd correspondent. In fact, whether there is any. Htpasswd and the fault does not lie at this level.

    Remember what we saw above. We saw that Apache interprets all requests that did not GET requests. Thus, we can use that to our advantage to access the protected page without login!

    Example: imagine that we have one. Htaccess rudimentaire of this type in the same folder:

    GET <Limit POST>
    Deny from all
    </ Limit> Logically, this file is supposed to prohibit any access to your portfolio. The problem is that only GET or POST requests are concerned ... Try to access the page with your browser: you get a 403 error because your browser sends a GET implicitly. Now, send a request with an incorrect Netcat as:

    n1Mp0rTeKwa ~ trance / vuln / HTTP/1.1Host: get the following response:

    <h1> Hello </ h1> Here is how to circumvent the protection ... Simple, n'est-ce pas? The worst thing in all this is that the majority of webmasters protect their sites this way. And I was one until you pointed me

    The correction is ultra-simple: Do not use the instruction "limit" when you want to restrict access to a file or folder! Banish the lines "<Limit POST> GET" and "</ Limit>" in your files. Htaccess and you'll avoid these problems.

    Moreover, the documentation of Apache makes it clear that in general, do not use <Limit> when attempting to restrict access. I quote: "In the general case, access control directives should not be placed within a <Limit> section."

    A little flat, however: for the time being, we have not found a way to distort the POSTs injecting data. So if you have any forms protected by POST. Htaccess, a priori they are safe. But I still advise you of your patch. Htaccess removing the lines "<Limit>" a little too dangerous ...

    On the other hand, I am far from an expert in Apache configuration. There may be an option asking Apache to refuse all requests that are not included. If you know you can leave a comment, it interests me ...

    Geo to thank you again for giving me warning of the presence of the fault on GITS!
  • My translation(light, for ...)
    For a file IdontknowWhat.php.
    with: <h1>Hello</h1>
    If in ur .htaccess you have:
    <Limit GET POST>
    Deny from all
    Logically, this file is supposed tu forbid access at page of this path. The problem, it's that only for request GET and POST.
    Try to access at the page with IE/FF/O: U'll have a error 403, because IE/FF/O send a GET request, Like:
    GET HTTP/1.1
    .Now, send a request with a tool like NetCat:
    n1Mp0rTeKwa HTTP/1.1Host:
    And the page will show, u'll get:
    <h1>Bonjour !</h1>
    Why ?
    If Apache don't know what's this type of request, Apache think it's a GET request.


InformproSend private message  
Back to topPage bottom
Icy Phoenix is an open source project, you can show your appreciation and support future development by donating to the project.

Support us
Post new topic  Reply to topic  Page 1 of 1

Display posts from previous:    

HideWas this topic useful?

Link this topic

Permissions List
You cannot post new topics
You cannot reply to topics
You cannot edit your posts
You cannot delete your posts
You cannot vote in polls
You cannot attach files
You can download files
You cannot post calendar events