httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Garey Smiley" <>
Subject Fwd: (null)
Date Thu, 08 Aug 1996 01:49:24 GMT
Any ideas on this? Can anyone duplicate this on a Unix version of

==================BEGIN FORWARDED MESSAGE==================

I think I have discivered a secirty hol in apache 1.1.1

I am running the OS/2 compile of 1.1.1 (zipfile size 1,320,540 dated
29-07-96 9:59) on 
OS/2 warp (no fixpacks applied). I run the daemon and document dir
mounted on TVFS (and 
OS/2 installable filesystem), so although the daemon is on g: and the
docs on f:, they 
are both mounted on a virtual drive x: )

I have a directory structure:


access.conf has the following directives:

<Directory /www-docs>
Options None
AllowOverride None

order allow,deny
allow from all


<Directory /www-docs/Marketing>
Options Indexes FollowSymLinks Includes
AllowOverride All

order allow,deny
allow from all

httpd.conf has this:
Redirect /marketing

These dirs have no .htacccess files, however 
"u:\www-docs\Marketing\Staff\williams\private\stats" does. It looks
like this:

AuthUserFile /etc/.htpasswd
AuthGroupFile /dev/null
AuthName Otago University Department of Marketing
AuthType Basic

<Limit GET>
require user john

My problem is this:
when I try to access
I am prompted for user name and password. Good. But if I try
(note lowercase 'm' in 'marketing') IT LETS ME IN! I have got the same
result on IBM Web 
Explorer 1.1e, Netscape 1.1 and Netscape 1.2 for Windows.
>From access_log: unknown - [07/Aug/1996:15:52:35 +1300] "GET 
/marketing/staff/williams/private/stats HTTP/1.0" 302 - unknown - [07/Aug/1996:15:52:36 +1300] "GET 
/marketing/staff/williams/private/stats/ HTTP/1.0" 200 1420 unknown - [07/Aug/1996:15:52:55 +1300] "GET 
/marketing/staff/williams/private/stats/anova-age.html HTTP/1.0" 200
14460 unknown - [07/Aug/1996:16:00:57 +1300] "GET 
/marketing/staff/williams/private/stats/ HTTP/1.0" 200 1420 unknown - [07/Aug/1996:16:00:59 +1300] "GET 
/marketing/staff/williams/private/stats/anova-age.html HTTP/1.0" 200
14460 unknown - [07/Aug/1996:16:01:04 +1300] "GET 
/marketing/staff/williams/private/stats/anova-gender.html HTTP/1.0" 200
16139 unknown - [07/Aug/1996:16:01:07 +1300] "GET 
/marketing/staff/williams/private/stats/mean-GENDER.html HTTP/1.0" 200
25049 unknown - [07/Aug/1996:16:24:42 +1300] "GET 
/Marketing/staff/williams/private/stats HTTP/1.0" 401 - unknown - [07/Aug/1996:16:24:56 +1300] "GET 
/marketing/staff/williams/private/stats HTTP/1.0" 302 - unknown - [07/Aug/1996:16:24:56 +1300] "GET 
/marketing/staff/williams/private/stats/ HTTP/1.0" 200 1420

Any clues?

The stuff at this location is not particularly sensitive or private, so
feel free to try 
the URL for yourself.

Thanks in advance


===================END FORWARDED MESSAGE===================

Garey Smiley
SoftLink Services
(330)848-1312 FAX/Data(330)699-4474

View raw message