httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <ma...@worldgate.com>
Subject sigh. iis...
Date Sun, 04 Jan 1998 05:28:03 GMT
Looking at IIS some more,

http://myserver/cgi-bin/mycgi.exe/../../foo/ will access the same thing as
http://myserver/foo/ 

That's kinda broken, no?

Only problem is that Apache does it too.  

With Apache, it logs it as /cgi-bin/mycgi.exe/../../foo (IIS doesn't).
This means that anyone can sneak around any billing based on logfile
analysis.

NS enterprise 3.x seems to just deny all requests with a /../ in the
request anywhere.


Mime
View raw message