httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Hartill <>
Subject phf bug
Date Tue, 24 Sep 1996 17:54:51 GMT

I just had mail from someone who lost his password file to the cgi-bin/phf*
hole. This got me thinking..

Can anyone see a problem with adding something *similar* to

<Location /cgi-bin/phf*>
  <Limit GET PUT POST>
  deny from all
  ErrorDocument 403

to the standard conf files, so that unsuspecting Apache users with
the offending CGI in their cgi-bin directories can be protected from
the hole.

There must be a lot of sites out there who are unaware of the problem
which survives each server upgrade.

Whether we like it or not, new Apache users will bring this hole with
them from earlier installations.


View raw message