Featured Article: Podcast - Mac Geek Gab #158: Bad RAM, iSights, Drive Speeds, and Startup Shortcuts
OS X, Apache Security Hole Discovered
by , 2:00 PM EDT, June 13th, 2001
For years, Mac users were able to more or less ignore many of the virus and security risks that existed in the Windows and Unix worlds. OS X has changed that, and combined with the growing number of "always on" broadband connections, Mac users have to take more security precautions now than ever before.
With that said, a new security hole has been identified with OS X and the built-in Apache Web server. Due to the way that Apache handles commands, and the HFS+ disk structure of most OS X enabled Macs, not all private files on a machine are safe. According to SecurityFocus.com;
A vulnerability exists when Apache webserver is used with Mac OS X Client.
The standard filesystem for Mac OS X is HFS+. HFS+ is case insensitive while Apache's filtering is case sensitive. The result is that Apache will filter all file requests that match filters exactly (including case), but it will not filter requests made with mixed or upper case characters. Since HFS+ is case insensitive, these requests will result in the "filtered" files being disclosed.
The impact is that arbitrary privileged files may be disclosed to unprivileged remote users.
You can find more information by going to the SecurityFocus.com Web site, and then clicking on "Vulnerabilities," and then "Advisories." You will see the "MacOS X Client Apache File Protection Bypass Vulnerability" advisory listed, and you can get more information from there.
Observer Comments
Recent Headlines - Updated Friday, July 4th, 2008
- Fri., 7:30 AM
- Happy Fourth of July!
- Thu., 4:50 PM
- Apple Slashes $400 from SSD Drive in MacBook Air
- 4:05 PM
- It's Official - Firefox Sets Guinness Record for Downloads
- 3:30 PM
- Apple Files Patent for a Multi-touch Gesture Language
- 2:20 PM
- Editorial - Mac's Market Share and the Cascade Failure of Windows
- 1:35 PM
- iPodObserver - Apple Slurps Up Samsung's NAND Flash for iPhone 3G
- 1:05 PM
- WSJ: Tips for Switching from Windows to Mac
- 12:05 PM
- iPodObserver - Google Intros Google Talk for iPhone
- 11:35 AM
- iPO Just a Thought - iPod nano Versus iPhone: Decisons, Decisions...
- 10:55 AM
- YouTube Ordered to Turn Over All User Records to Viacom
- 10:10 AM
- Hot Forum Topic - Apple vs. Cell Carriers: Who's Winning the Game
- 9:25 AM
- iPodObserver - Rumor: Best Buy, Radio Shack to Sell iPhone 3G
- 8:45 AM
- .Mac Bookmark Sync Deadline Extended to July 6
- 8:10 AM
- Adobe Reader 9 Hits the Streets
The Mac Observer Reader Specials
- Download Typestyler, still the Ultimate Styling Tool for Internet, Print and Video Graphics. Works great in Classic with a Native OS X Version on the way. Free Tryout: www.typestyler.com
- OWC: Juice up your iPod w/NewerTech High Capacity Battery from $19.99 Free Installation Videos for most models. Pro Installation Service w/FedEx Shipping From $57.95 (Battery Included). - www.MacSales.com
MacPro Memory 667Mhz With Apple Spec Heat Sink 2GB $90 / 4GB $134 / 8GB $264. Click to Maximize your Macs...
Mac observers can now play Party Poker for Mac as well as Mac casino games by going to MacPokerOnline.com.
RamJet Memory: MacBook 1Gig $39, 2Gig $78, 4Gig $195! Mac Pro 2Gig $115, 4Gig $189! 500G Seagate SATA II $139! Click hereFor the latest Apple products use Ciao a comparison website to find laptops like MacBook Air. Then find the best prices on MP3 players and use our comparison tool to evaluate cell phones.
Laptop Hardware Provided by TechRestore - Overnight Mac & iPod Repairs.
Harman Kardon EP 730 In-ear Noise Isolating Earphones With Volume Control: $52.99 Delivered 
Archos 604 30 GB Ultraslim Portable Digital Media Player and Recorder: $169.99 Delivered 
Western Digital 320GB My Passport Essential USB 2.0 Portable Hard Drive: $128.99 Delivered 
Cavalry 1TB Hard Drive - RAID 1 (500GB Mirrored) - Interface (USB 2.0) External Hard Drive: $189.99 
