OS X, Apache Security Hole Discovered

For years, Mac users were able to more or less ignore many of the virus and security risks that existed in the Windows and Unix worlds. OS X has changed that, and combined with the growing number of "always on" broadband connections, Mac users have to take more security precautions now than ever before.

With that said, a new security hole has been identified with OS X and the built-in Apache Web server. Due to the way that Apache handles commands, and the HFS+ disk structure of most OS X enabled Macs, not all private files on a machine are safe. According to SecurityFocus.com;

A vulnerability exists when Apache webserver is used with Mac OS X Client.

The standard filesystem for Mac OS X is HFS+. HFS+ is case insensitive while Apacheis filtering is case sensitive. The result is that Apache will filter all file requests that match filters exactly (including case), but it will not filter requests made with mixed or upper case characters. Since HFS+ is case insensitive, these requests will result in the "filtered" files being disclosed.

The impact is that arbitrary privileged files may be disclosed to unprivileged remote users.

You can find more information by going to the SecurityFocus.com Web site, and then clicking on "Vulnerabilities," and then "Advisories." You will see the "MacOS X Client Apache File Protection Bypass Vulnerability" advisory listed, and you can get more information from there.