httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From (Garey Smiley)
Subject Re: [Fwd: Apache Security Problem]
Date Mon, 08 Apr 1996 14:55:38 GMT
On Mon, 08 Apr 1996 11:36:26 -0600 you wrote:

>Just tried in on 1.1b0a and a 1.1dev of last week. I couldn't
>reproduce this...
>Content-Type: message/rfc822
>Content-Transfer-Encoding: 7bit
>Content-Disposition: inline
>From: (Nocturnal Guardian)
>Newsgroups: comp.infosystems.www.servers.unix,comp.infosystems.www.servers.misc
>Subject: Apache Security Problem
>Date: 8 Apr 1996 15:48:44 GMT
>Organization: Pacland Central
>Message-ID: <4kbcgs$>
>X-Newsreader: TIN [version 1.2 PL0]
>Xref: comp.infosystems.www.servers.unix:14024 comp.infosystems.www.servers.misc:4008
>I am running the OS/2 port of Apache 1.0.1, and there is a security hole in
>it.  A friend of mine tried to access http://my.server/cgi-bin/, and it 
>gave him a Forbidden - you do not have permission to access /cgi-bin/ on
>this server, which I believe is what it should have done.  Then he tried to
>access http://my.server/.\cgi-bin\/, and it gave him a directory listing of
>/cgi-bin/!  He then was able to read all of the files in that directory.
>I tried to create an index.html file in the cgi-bin directory, and that
>fixed the problem for that directory.  However, I then attempted to access
>http://my.server/.\..\/ and it also gave the directory listing!  I was able
>to access ALL of the files on my hard drive!!!  This is a serious security
>flaw, and I'm wondering if there is any way to fix it.  Has this been fixed
>in 1.0.2 or 1.0.3?

1.0.3 also does this. It is cause by some of the UNIX to OS/2 filenameing
conversion that the EMX libraries do. I am working on a fix. It should be done
in a day or two.

Garey Smiley
SoftLink Services
(216)848-1312 FAX/Data(216)699-4474

View raw message