Apache Source Disclosure Bug

We discussed this vulnerability during Episode 83 on 20 September 2021

A rather non-intuitive bug where sending Content-Length: x would result in source disclosure on Apache.

The root of the bug is rather non-intuitive and has its origins in ignoring errors from filters. Naturally one of the HTTP Filters does see the invalid Content-Length header and makes a call to bail_out_on_error to write out the error message and bail. Rather than properly bailing however, the function that triggers the filter chain gets the AP_FILTER_ERROR return code and has a switch statement on it. Which just happens to completely ignore the AP_FILTER_ERROR case allowing the bad request to continue being processed.

Ultimately invoking a “txt/HTML” generator on the PHP file resulting in the PHP’s source code being written as output rather than executing the PHP interpreter. Its not entirely clear from the write-up why “txt/HTML” but my educated guess would be that a later filter in the chain that would normally change the generator and type simply wasn’t executed due to the early error return.

While this bug was silently patched, the security implications were not recognized and so the vulnerability has not (at the time of the presentation) been back ported.