[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : SuSE Apache WebDAV Directory Listings (A090700-3)

Title: SuSE Apache WebDAV Directory Listings (A090700-3)
Released by: @stake
Date: 7th September 2000
Printable version: Click here

Hash: SHA1

                               @stake Inc.



                           Security Advisory

Advisory Name: SuSE Apache WebDAV Directory Listings (A090700-3)

 Release Date: 09/07/2000

  Application: Apache 1.3.12

     Platform: SuSE Linux 6.4

     Severity: Attackers are able to retrieve directory listings

       Author: mnemonix (dlitchfield@atstake.com)

Vendor Status: Vendor has updated Apache package

          Web: www.atstake.com/research/advisories/2000/a090700-3.txt


WebDAV (Web Distributed Authoring and Versioning) is an extention to the

HTTP (Hypertext Transfer Protocol) 1.1 protocol, the protocol that drives

the Web, and is discussed in RFC 2518

(http://ftp.isi.edu/in-notes/rfc2518.txt). Essentially WebDAV exists to

allow users to create, edit and share documents over the Internet or

Intranets using the HTTP protocol. To facilitate this new REQUEST METHODS

have been added on top of the standard GET, POST and HEAD methods such as


One of these, PROPFIND is of interest, as far as this particular issue is

concerned anyway. PROPFIND exists to allow users to search for certain

properties of resources such as the displayname, when last modified etc,

etc.  The Apache web server as installed by SuSE 6.4 has WebDAV "turned

on". By making a request to the web server similar to the following it is

possible to gain what amounts to a directory listing:

suse~: # telnet 80


Connected to

Escape character is '^]'.


Host: suse

Content-Type: text/xml

Content-Length: 110




HTTP/1.1 207 Multi-Status

Date: Sun, 20 Aug 2000 17:38:58 GMT

Server: Apache/1.3.12 (Unix)  (SuSE/Linux) mod_fastcgi/2.2.2 DAV/0.9.14

mod_perl/1.21 PHP/3.0.15

Transfer-Encoding: chunked

Content-Type: text/xml; charset="utf-8"



HTTP/1.1 200 OK


HTTP/1.1 200 OK


HTTP/1.1 200 OK


HTTP/1.1 200 OK


HTTP/1.1 200 OK


HTTP/1.1 200 OK


HTTP/1.1 200 OK


HTTP/1.1 200 OK


HTTP/1.1 200 OK


HTTP/1.1 200 OK


HTTP/1.1 200 OK



- ---cut-----

What are the security ramifications of this? As can be seen by looking at

the server's response one can see a directory called /secret/secret/ with

three files stored there called sql_tool.html, add-user.html and

change-passwd.html. These pages exist for administration purposes and

there are no links to these pages from the site. To be able to access them

a user needs to know of their existence - a poor method of access control

- - but one which is quite common. Further to this it would be possible to

look for files that may have been left by developers, such as test.html

or script.cgi.old, which often allow greater access than their production

version equivalents or due to a .old or .bak file extention are not

executed but access to the source can be gained.


If you want to leave WebDAV enabled for some directories open

httpd.conf in your text editor of choice, e.g. pico or vi and add the

following for each directory you want to enable WebDAV for:

#add other directives as needed such as Order allow,deny


Stop and restart Apache.

If you want to simply turn WebDAV off: Open up httpd.conf and find


and change "On" to "Off". By default there is only one directory with the

IfDefine DAV directive, namely "/usr/local/httpd/htdocs". If other

directories have been given this directive change these too. Stop and

restart Apache.

If you want to Apache to start without the WebDAV module then edit

/etc/rc.d/rc3.d/S20apache and place a "#"  in front of the line that reads

test -e /usr/lib/apache/libdav.so && MODULES="-D DAV $MODULES"

By doing this when Apache is next started this module will not be


Vendor Response:

SuSE have updated their Apache package and more information is available

from http://www.suse.de/de/support/security/

For more advisories: http://www.atstake.com/research/index.html

PGP Key: http://www.atstake.com/research/pgp_key.asc

Copyright 2000 @stake, Inc. All rights reserved.


Version: PGP 6.5.8





(C) 1999-2000 All rights reserved.