httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Wilson <and...@www.elsevier.co.uk>
Subject What the heck is this?!? : re: put and delete functions in httpd
Date Mon, 13 Mar 1995 10:03:25 GMT

----- Begin Included Message -----

>From owner-bugtraq@fc.net Sun Mar 12 00:32:15 1995
From: fc@all.net (Dr. Frederick B. Cohen)
Subject: put and delete functions in httpd
To: bugtraq@fc.net
Date: Sat, 11 Mar 1995 12:09:41 -0500 (EST)
X-Mailer: ELM [version 2.4 PL22]
Content-Type: text
Content-Length: 941
Sender: owner-bugtraq@fc.net

I was looking through the code to httpd and noticed the functions Put
and Delete - apparently using the same access controls as get, etc. 
Does this mean the default is that anyone can delete and put replacement
files in http servers? I removed the code (to no negative effect) from
my httpd but didn't test to exercise the potential problem.  I would be
interested to hear of anyone who tests and finds that outsiders can
modify their servers this way.

Also of interest - httpd produces error returns when you ask for a moved
file, etc.  I modified our deamon to do a redirect to our home-page so
that users don't have to read error messages and try other URLs.  It
seems to work well and eliminates a number of access control concerns
with people guessing URLs (any URL works - but you almost always get the
home page).  Also, this seems to redirect programs looking at robots.txt.
I wonder how many of them fail from syntax errors?

FC



----- End Included Message -----


Mime
View raw message