httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Wilson <>
Subject Re: WWW Form Bug Report: "Security bug involving ScriptAliased directories" on Linux
Date Thu, 02 Nov 1995 21:10:44 GMT
> The bug here seems to be that the Alias command and its (effective) variants
> can be foxed by giving them URIs with doubled slashes, which then fail to
> match.  In particular, if the target directory of a ScriptAlias command is
> actually, say, the cgi-bin subdirectory of DocumentRoot, this can be used
> to disable the effects of ScriptAlias.  Here is a patch against *0.8.16*
> which appears to cure the problem:

[really quite extraordinarily deep voodoo code snipped]

Agreed.  This bug also exists in 0.6.5 and NCSA 1.3R!.  A long long time
ago someone mentioned that there was a bug involving problems with
slashes which caused script source to be displayed instead of executing
the script itself.  Does anyone recall the precise nature of *that*
problem.  Did people just fuss until they got bored but didn't get
round to fixing the snafu?  Wups. ;{


ps.     this area of code is DANGEROUSLY arcane now - that is where
	bugs come from.

View raw message