httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Laurie <...@gonzo.ben.algroup.co.uk>
Subject Re: Security hole: force directory listings, avoid index.html
Date Mon, 25 Nov 1996 18:27:27 GMT
Brian Behlendorf wrote:
> 
> 
> With the current CVS tree:
> 
>   telnet www.apache.org 80
>   GET / HTTP/1.0
>   Accept: image/gif
>  
> What comes back is a directory listing of www.apache.org's root tree, even
> though there's in index.html there.  I consider this a security hole, in so far
> as people are considering index.html's as ways to protect the contents of a
> directory from indexing.  

Interesting. Of course, the type of the returned directory listing is
text/html, which doesn't match any Accept. Should the core catch this and
return an error (which error?).

There's also the question of why it happens in the first place?

Cheers,

Ben.

-- 
Ben Laurie                Phone: +44 (181) 994 6435  Email: ben@algroup.co.uk
Freelance Consultant and  Fax:   +44 (181) 994 6472
Technical Director        URL: http://www.algroup.co.uk/Apache-SSL
A.L. Digital Ltd,         Apache Group member (http://www.apache.org)
London, England.          Apache-SSL author

Mime
View raw message