httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 9130] - Name of index file disclosed when invalid/unsupported method used for request
Date Sun, 18 Aug 2002 19:53:20 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=9130>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=9130

Name of index file disclosed when invalid/unsupported method used for request





------- Additional Comments From wrowe@apache.org  2002-08-18 19:53 -------

  I really don't know that this is a vulnerability.

  Using the proper notation, e.g. GET / HTTP/1.0, one of the headers returned
  is the Content-Location header;

Content-Location: index.html.en

  This allows the client to determine that / and /index.html.en are the same
  resource, preventing that URL from being dup-indexed or infinately recursed.
  Likewise with index.html and index.html.en.

  This is a pretty well defined behavior, so the SPOON / request example
  truly reveals no more than a GET request.

  Consider this a vote -1 for the bug... if we have two others who agree, 
  we aught to table this report.  The impact of loosing the Content-Location
  is too adverse to consider, and the not-supported result is no different.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message