Received: by taz.hyperreal.com (8.6.12/8.6.5) id LAA01562;
 Mon, 8 Apr 1996 11:56:41 -0700
Received: from aldhfn.aldhfn.org by taz.hyperreal.com (8.6.12/8.6.5) with
 ESMTP id LAA01554; Mon, 8 Apr 1996 11:56:36 -0700
Received: from main.slink.com (slink.com [199.18.242.17]) by aldhfn.aldhfn.org
 (8.6.12/8.6.11.1) with SMTP id OAA09555 for <new-httpd@hyperreal.com>;
 Mon, 8 Apr 1996 14:56:20 -0400
Received: from garey.slink.com by main.slink.com (IBM OS/2 SENDMAIL VERSION
 1.3.16/(1.0sosum)
	  for new-httpd@hyperreal.com; id AA8228; Mon, 08 Apr 96 14:55:41 -0400
Message-Id: <9604081855.AA8228@main.slink.com>
Date: Mon, 08 Apr 96 14:55:38 EDT
From: garey@main.slink.com (Garey Smiley)
To: new-httpd@hyperreal.com
X-Mailer: Garey Smiley's PMMail v1.1
Subject: Re: [Fwd: Apache Security Problem]
Sender: owner-new-httpd@apache.org
Precedence: bulk
Reply-To: new-httpd@hyperreal.com
Status: O
X-Status: 

On Mon, 08 Apr 1996 11:36:26 -0600 you wrote:

>Just tried in on 1.1b0a and a 1.1dev of last week. I couldn't
>reproduce this...
>
>--------------5F0458824352
>Content-Type: message/rfc822
>Content-Transfer-Encoding: 7bit
>Content-Disposition: inline
>
>Path: newshost.lanl.gov!ncar!gatech!swrinde!cs.utexas.edu!math.ohio-state.edu!magnus.acs.ohio-state.edu!lerc.nasa.gov!purdue!haven.umd.edu!cville-srv.wam.umd.edu!techno
>From: techno@wam.umd.edu (Nocturnal Guardian)
>Newsgroups: comp.infosystems.www.servers.unix,comp.infosystems.www.servers.misc
>Subject: Apache Security Problem
>Date: 8 Apr 1996 15:48:44 GMT
>Organization: Pacland Central
>Message-ID: <4kbcgs$n98@cville-srv.wam.umd.edu>
>NNTP-Posting-Host: rac1.wam.umd.edu
>X-Newsreader: TIN [version 1.2 PL0]
>Xref: newshost.lanl.gov comp.infosystems.www.servers.unix:14024 comp.infosystems.www.servers.misc:4008
>
>
>I am running the OS/2 port of Apache 1.0.1, and there is a security hole in
>it.  A friend of mine tried to access http://my.server/cgi-bin/, and it 
>gave him a Forbidden - you do not have permission to access /cgi-bin/ on
>this server, which I believe is what it should have done.  Then he tried to
>access http://my.server/.\cgi-bin\/, and it gave him a directory listing of
>/cgi-bin/!  He then was able to read all of the files in that directory.
>I tried to create an index.html file in the cgi-bin directory, and that
>fixed the problem for that directory.  However, I then attempted to access
>http://my.server/.\..\/ and it also gave the directory listing!  I was able
>to access ALL of the files on my hard drive!!!  This is a serious security
>flaw, and I'm wondering if there is any way to fix it.  Has this been fixed
>in 1.0.2 or 1.0.3?

1.0.3 also does this. It is cause by some of the UNIX to OS/2 filenameing
conversion that the EMX libraries do. I am working on a fix. It should be done
in a day or two.


Garey Smiley
SoftLink Services
garey@slink.com
http://www.slink.com/
(216)848-1312 FAX/Data(216)699-4474