A rather non-intuitive bug where sending
Content-Length: x would result in source disclosure on Apache.
The root of the bug is rather non-intuitive and has its origins in ignoring errors from filters. Naturally one of the HTTP Filters does see the invalid
Content-Length header and makes a call to
bail_out_on_error to write out the error message and bail. Rather than properly bailing however, the function that triggers the filter chain gets the
AP_FILTER_ERROR return code and has a switch statement on it. Which just happens to completely ignore the
AP_FILTER_ERROR case allowing the bad request to continue being processed.
Ultimately invoking a “txt/HTML” generator on the PHP file resulting in the PHP’s source code being written as output rather than executing the PHP interpreter. Its not entirely clear from the write-up why “txt/HTML” but my educated guess would be that a later filter in the chain that would normally change the generator and type simply wasn’t executed due to the early error return.
While this bug was silently patched, the security implications were not recognized and so the vulnerability has not (at the time of the presentation) been back ported.