HTACCESS LIMIT directive bypassing was the common method of accessing banned directories where the LIMIT directive is used to ban all and allow from a specified IP address.
This is still possible today because of the sheer amount of Apache servers running that are not up to date and due to the fact that while this issue was known about for over a decade, it was not fixed until very recently.
Typically the LIMIT directive is used as:
<Limit GET POST>
deny from all
allow from 127.0.0.1
However unpatched versions of Apache do silly things when a request is made where the 'request type' has been spoofed (not the remote ip).
Example of a correct request to an admin directory:
GET /admin HTTP/1.1
Would result in a 403 access denied server response if the LIMIT example above was set up in the htaccess file.
However the request method can be spoofed as below:
ATTACK /admin HTTP/1.1
In this example using ATTACK as the request type, the out of date Apaches LIMIT directive sees that 'ATTACK' is not on the ban list of GET and POST so it allows it through.
But the out of date version of Apache, in not having ATTACK as one of its request methods, converts the ATTACK request type to GET instead of banning the request.
The end result is that the request is successful thus bypassing the LIMIT directive allowing any IP address access to that directory.
The safety mechanism is LimitExcept (example below)
<LimitExcept GET POST HEAD OPTIONS>
Deny from all
Setting that at the top of the root htaccess file will restrict all request types right from the start at which point directives like LIMIT can be used safely.
- Stop Oscommerce hacks dead in their tracks with osC_Sec
(see discussion here
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security
: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes