httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <ma...@worldgate.com>
Subject RE: Showstoppers
Date Wed, 06 May 1998 18:41:07 GMT
On Wed, 6 May 1998, Dale Couch wrote:

> > >It gets even worse!  Any filename COMPONENT in the entire
> > path triggers this
> > >problem.  E.g.:
> > >
> > >  GET /con/aux/index.html HTTP/1.0
> > >
> 
> As of 1.3b7-dev this returns a 404.
> 
> "The requested URL /con/aux/index.html was not found on this server."
> 
> Tried it with Netscape, IE, and LWP.  Running Winnt 4.0 SP3.  I guess I am
> missing something.  Was there a report that this was possible?

The problem isn't necessarily just with requesting files with that name,
but with the whole workings of obscure ways to do things, anywhere that
filenames can be specified in htaccess files,etc. and the unusual ways
things can be exploited.

It takes a perverted mind to figure out the risks, and I'm only perverted
to Unix.


Mime
View raw message