Return-Path: owner-new-httpd Received: by taz.hyperreal.com (8.6.10/8.6.5) id CAA01973; Mon, 13 Mar 1995 02:08:20 -0800 Received: from ns.elsevier.nl by taz.hyperreal.com (8.6.10/8.6.5) with ESMTP id CAA01968; Mon, 13 Mar 1995 02:08:18 -0800 Received: from www.elsevier.co.uk by ns.elsevier.nl with SMTP (PP); Mon, 13 Mar 1995 11:09:58 +0100 Received: by www.elsevier.co.uk (4.1/SMI-4.1) id AA29511; Mon, 13 Mar 95 10:03:25 GMT Date: Mon, 13 Mar 95 10:03:25 GMT From: Andrew Wilson Message-Id: <9503131003.AA29511@www.elsevier.co.uk> To: new-httpd@hyperreal.com Subject: What the heck is this?!? : re: put and delete functions in httpd Sender: owner-new-httpd@hyperreal.com Precedence: bulk Reply-To: new-httpd@hyperreal.com ----- Begin Included Message ----- >From owner-bugtraq@fc.net Sun Mar 12 00:32:15 1995 From: fc@all.net (Dr. Frederick B. Cohen) Subject: put and delete functions in httpd To: bugtraq@fc.net Date: Sat, 11 Mar 1995 12:09:41 -0500 (EST) X-Mailer: ELM [version 2.4 PL22] Content-Type: text Content-Length: 941 Sender: owner-bugtraq@fc.net I was looking through the code to httpd and noticed the functions Put and Delete - apparently using the same access controls as get, etc. Does this mean the default is that anyone can delete and put replacement files in http servers? I removed the code (to no negative effect) from my httpd but didn't test to exercise the potential problem. I would be interested to hear of anyone who tests and finds that outsiders can modify their servers this way. Also of interest - httpd produces error returns when you ask for a moved file, etc. I modified our deamon to do a redirect to our home-page so that users don't have to read error messages and try other URLs. It seems to work well and eliminates a number of access control concerns with people guessing URLs (any URL works - but you almost always get the home page). Also, this seems to redirect programs looking at robots.txt. I wonder how many of them fail from syntax errors? FC ----- End Included Message -----