httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Douglass <>
Subject security bug in 1.1.3?
Date Fri, 21 Feb 1997 22:43:33 GMT
I haven't heard anyone in BUGTRAQ or BOS mention this so I thought I'd
bring it up.  I had several web servers running apache 1.1.3 where I
had the UserDir set to ./ so that the users home page would literally
be their home directory.  (The machine is web only and they ftp their
pages in--so this is not a problem).

I had access.conf configured to give permissions to the directories where
the documents existed, etc. and assumed that the default permission was
DENY for any directories not listed in access.conf.  It appears this is
not the case as I had to put a literal <Directory /> with a <Limit> denying
from all.

The problem here was that you could do ~root and get /./ and the access.conf
file would not deny this action.  (The servers do not run as root, but this
is *still* generally not a good idea.)

I could be wrong in assuming that if the directory is not specified in
access.conf that the default would be DENY-----but that makes too much
sense to me.  Why would DEFAULT behavior for an unlisted directory hiearchy
be to allow instead of deny?

Michael Douglass
Texas Networking, Inc.

 "The past is a foreign country; they do things differently there."
      L. P. Hartley, British author. The Go-Between, Prologue (1953).

View raw message