Return-Path: <new-httpd-owner-new-httpd-archive=hyperreal.org@apache.org>
Delivered-To: new-httpd-archive@hyperreal.org
Received: (qmail 22910 invoked by uid 6000); 22 Jan 1998 07:13:00 -0000
Received: (qmail 22904 invoked by uid 24); 22 Jan 1998 07:12:59 -0000
Message-Id: <3.0.3.32.19980121231303.00809c30@hyperreal.org>
X-Sender: brian@hyperreal.org
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32)
Date: Wed, 21 Jan 1998 23:13:03 -0800
To: new-httpd@apache.org
From: Brian Behlendorf <brian@hyperreal.org>
Subject: Lotus Domino server vulnerable
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: new-httpd-owner@apache.org
Precedence: bulk
Reply-To: new-httpd@apache.org

http://www.wired.com/news/news/business/story/9774.html

The short of it: having config files under your document root is bad.
Making them editable through the site is even worse!

I like this:

> The hole can be exploited in curious ways. At one
> vulnerable site, NBC Sports, a cracker could view the
> list of names for all customers who registered for
> the site's sweepstakes. 

	Brian


--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
"Optimism is a strategy for making                         brian@apache.org
a better future." - Noam Chomsky                        brian@hyperreal.org