httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From f...@locus.apache.org
Subject cvs commit: apache-1.3/src CHANGES
Date Fri, 22 Sep 2000 20:41:02 GMT
fanf        00/09/22 13:41:02

  Modified:    src      CHANGES
  Log:
  Note the fix of the mod_rewrite multi-pass expansion security problem.
  
  Revision  Changes    Path
  1.1578    +6 -0      apache-1.3/src/CHANGES
  
  Index: CHANGES
  ===================================================================
  RCS file: /home/cvs/apache-1.3/src/CHANGES,v
  retrieving revision 1.1577
  retrieving revision 1.1578
  diff -u -u -r1.1577 -r1.1578
  --- CHANGES	2000/09/21 13:19:22	1.1577
  +++ CHANGES	2000/09/22 20:40:57	1.1578
  @@ -1,5 +1,11 @@
   Changes with Apache 1.3.13
   
  +  *) Fix a security problem that affects some configurations of
  +     mod_rewrite. If the result of a RewriteRule is a filename that
  +     contains expansion specifiers, especially regexp backreferences
  +     $0..$9 and %0..%9, then it may have been possible for an attacker
  +     to access any file on the web server. [Tony Finch]
  +
     *) Add mod_auth_dbm (sdbm flavor) binary build for Win32.
        [William Rowe]
   
  
  
  

Mime
View raw message