Received: by taz.hyperreal.com (8.7.5/V2.0) id SAA16067; Wed, 7 Aug 1996 18:48:38 -0700 (PDT) Received: from aldhfn.aldhfn.org by taz.hyperreal.com (8.7.5/V2.0) with SMTP id SAA16056; Wed, 7 Aug 1996 18:48:34 -0700 (PDT) Received: from main.slink.com (slink.com [199.18.242.17]) by aldhfn.aldhfn.org (8.6.12/8.6.11.1) with SMTP id VAA05763 for ; Wed, 7 Aug 1996 21:45:17 -0400 Received: from garey.slink.com by main.slink.com (IBM OS/2 SENDMAIL VERSION 1.3.17/(1.0sosum) for new-httpd@hyperreal.com; id AA3094; Wed, 07 Aug 96 21:49:26 -0400 Message-Id: <9608080149.AA3094@main.slink.com> From: "Garey Smiley" To: "Apache Developers Mailing List" Date: Wed, 07 Aug 96 21:49:24 -0400 Priority: Normal X-Mailer: Garey Smiley's Registered PMMail 1.52 For OS/2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Subject: Fwd: (null) Sender: owner-new-httpd@apache.org Precedence: bulk Reply-To: new-httpd@hyperreal.com Any ideas on this? Can anyone duplicate this on a Unix version of Apache? ==================BEGIN FORWARDED MESSAGE================== I think I have discivered a secirty hol in apache 1.1.1 I am running the OS/2 compile of 1.1.1 (zipfile size 1,320,540 dated 29-07-96 9:59) on OS/2 warp (no fixpacks applied). I run the daemon and document dir mounted on TVFS (and OS/2 installable filesystem), so although the daemon is on g: and the docs on f:, they are both mounted on a virtual drive x: ) I have a directory structure: u:\www-docs\Marketing\Staff\williams\private\stats access.conf has the following directives: Options None AllowOverride None order allow,deny allow from all Options Indexes FollowSymLinks Includes AllowOverride All order allow,deny allow from all httpd.conf has this: Redirect /marketing http://marketing.otago.ac.nz:800/Marketing These dirs have no .htacccess files, however "u:\www-docs\Marketing\Staff\williams\private\stats" does. It looks like this: AuthUserFile /etc/.htpasswd AuthGroupFile /dev/null AuthName Otago University Department of Marketing AuthType Basic require user john My problem is this: when I try to access http://marketing.otago.ac.nz:800/Marketing/staff/williams/private/stats I am prompted for user name and password. Good. But if I try http://marketing.otago.ac.nz:800/marketing/staff/williams/private/stats (note lowercase 'm' in 'marketing') IT LETS ME IN! I have got the same result on IBM Web Explorer 1.1e, Netscape 1.1 and Netscape 1.2 for Windows. >From access_log: celebrian.otago.ac.nz unknown - [07/Aug/1996:15:52:35 +1300] "GET /marketing/staff/williams/private/stats HTTP/1.0" 302 - celebrian.otago.ac.nz unknown - [07/Aug/1996:15:52:36 +1300] "GET /marketing/staff/williams/private/stats/ HTTP/1.0" 200 1420 celebrian.otago.ac.nz unknown - [07/Aug/1996:15:52:55 +1300] "GET /marketing/staff/williams/private/stats/anova-age.html HTTP/1.0" 200 14460 celebrian.otago.ac.nz unknown - [07/Aug/1996:16:00:57 +1300] "GET /marketing/staff/williams/private/stats/ HTTP/1.0" 200 1420 celebrian.otago.ac.nz unknown - [07/Aug/1996:16:00:59 +1300] "GET /marketing/staff/williams/private/stats/anova-age.html HTTP/1.0" 200 14460 celebrian.otago.ac.nz unknown - [07/Aug/1996:16:01:04 +1300] "GET /marketing/staff/williams/private/stats/anova-gender.html HTTP/1.0" 200 16139 celebrian.otago.ac.nz unknown - [07/Aug/1996:16:01:07 +1300] "GET /marketing/staff/williams/private/stats/mean-GENDER.html HTTP/1.0" 200 25049 ou092033.otago.ac.nz unknown - [07/Aug/1996:16:24:42 +1300] "GET /Marketing/staff/williams/private/stats HTTP/1.0" 401 - ou092033.otago.ac.nz unknown - [07/Aug/1996:16:24:56 +1300] "GET /marketing/staff/williams/private/stats HTTP/1.0" 302 - ou092033.otago.ac.nz unknown - [07/Aug/1996:16:24:56 +1300] "GET /marketing/staff/williams/private/stats/ HTTP/1.0" 200 1420 Any clues? The stuff at this location is not particularly sensitive or private, so feel free to try the URL for yourself. Thanks in advance John ===================END FORWARDED MESSAGE=================== Garey Smiley SoftLink Services garey@slink.com http://www.slink.com/ (330)848-1312 FAX/Data(330)699-4474