Article ID: 2797, created on Oct 29, 2007, last review on Apr 17, 2012

  • Applies to:
  • Pro Control Panel Linux

AdditionalInformation

View Knowledge
Knowledge ID 2183
Product : Ensim Pro for Linux
Version : 4.1.0
Topic : Hotfix

Title
HTTP POST can be issued against files in the protected directory

Summary
Addresses the issue "HTTP POST can be issued against files in the protected directory"

Prevention


Details

Product:Ensim Pro for Linux
Version:
4.1.0 (Fedora Core 1, Fedora Core 2, Red Hat Enterprise Linux 3, Red Hat Enterprise Linux 4, CentOS 4.1, CentOS 4.2)
Date:  01-February-2006
Patch Description: 
Addresses the issue:
HTTP POST can be issued against files in the protected directory.
Overview : When Ensim control panel is used to protect a directory, the .htaccess file only protects HTTP GET. HTTP POST can still be issued against files in the protected directory.
To protect this unauthorised entry and overcome the above-mentioned issue please apply this hotfix.

Download:
For fc1: http://download.swsoft.com/ensim/download/pro/linux/4.1.0/hotfix/httppostvulnerability/fc1/webppliance-apache-4.1.0-11.fc.1.i386.rpm
(md5sum: 64d5ba16fed63dfe765ee95049bd8298)                                      
  
For fc2: http://download.swsoft.com/ensim/download/pro/linux/4.1.0/hotfix/httppostvulnerability/fc2/webppliance-apache-4.1.0-11.fc.2.i386.rpm 
(md5sum:bdd073db332d969dfa1f9a9003ec7b6f)

For RHEL3: http://download.swsoft.com/ensim/download/pro/linux/4.1.0/hotfix/httppostvulnerability/rhel3/webppliance-apache-4.1.0-11.rhel.3ES.i386.rpm
(md5sum:992af7a1d28154245645247968b19b03)

For RHEL4: http://download.swsoft.com/ensim/download/pro/linux/4.1.0/hotfix/httppostvulnerability/rhel4/webppliance-apache-4.1.0-11.rhel.4ES.i386.rpm
(md5sum:f8100925d8992aaf92c98ca5dcfa0b0d)

For CentOS 4.1: http://download.swsoft.com/ensim/download/pro/linux/4.1.0/hotfix/httppostvulnerability/rhel4/webppliance-apache-4.1.0-11.rhel.4ES.i386.rpm
(md5sum:f8100925d8992aaf92c98ca5dcfa0b0d)

For CentOS 4.2: http://download.swsoft.com/ensim/download/pro/linux/4.1.0/hotfix/httppostvulnerability/rhel4/webppliance-apache-4.1.0-11.rhel.4ES.i386.rpm
(md5sum:f8100925d8992aaf92c98ca5dcfa0b0d)

Installation Procedure:

  • Get the webppliance-apache RPM from the locations mentioned above.
  • Upgrade the RPM. Webppliance restart is not required.


Protecting New Directories:

  • Log in as siteadmin (Frontpage should not be enabled for your site).
  • Go to apache->protect directories.
  • Enter the info and protect the directory.
  • Check the .htaccess file inside that directory, it should have the proper GET and POST directives against the Limit tag


Re-apply the directory protection to existing directories:

  • For directories already protected with an earlier version of Ensim Pro, you will have to re-protect all the existing protected directories.
  • Follow steps 1 and 2 as mentioned in the previous section.
  • Now unprotect the directory, and again protect it.
  • Again, check the .htaccess file for the GET and POST tags.

Note:If you already have protected directories on server then you can execute the attached file to apply fixes to them.


Attachments
1. KB2183.pl   


Related Knowledge

Related Links
 
Last ModifiedUsageSatisfiedLast Used
2/1/2006 6:47:28 AM136 10/11/2007 4:25:23 AM

4cc899da08664637a8bc437308d3ddd7 3ccb419cf98083f3bb45808fba8dbc7c 6311ae17c1ee52b36e68aaf4ad066387

Email subscription for changes to this article
Save as PDF