Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Stefan Arentz (stefan.arentzsoze.com)
Date: Sun Jun 10 2001 - 12:53:40 CDT
Mac OS X 10.0.3 / Darwin 1.3.3
This is the the default setup, out of the box, with available
software updates installed. Please note, this is OS X *Client*.
Who is affected:
Everybody who used Apache on Mac OS X Client with the following
+ Documents are on a HFS+ volume
+ Directory protection is used
The preferred filesystem for Mac OS X is Apple's HFS+ and most
setups use it. HFS+ is a case insensitive filesystem.
Apache's directory protection (and other methods that depend on
filesystem object names) cannot handle this and breaks. For example,
both Directory and Location configuration options break.
This is a real security risk because most people do not know this.
It can easily be used to bypass protected directories.
Consider the following file:
And the following configuration:
Deny from all
Or, using a Directory option:
Deny from all
The following request will result in a 403 Forbidden as excpected:
But the following request will happily serve the file:
Using UFS solves this problem because it is case sensitive and
it behaves as expected.
Also, Mac OS X Server ships with a mod_hfs_apple.so Apache
module that solves this problem. However, the module is only
available as part of OS X Server, and not available as source
or part of the Apache distribution.
Modification to Apache so that it does a check for the 'real'
filename. This probably needs some support from the underlying
Or Apple should submit their HFS+ patches to the Apache Software
Foundation or install the mod_hfs_apple.so module on OS X Client.