httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Jagielski <...@jaguNET.com>
Subject Re: [SECURITY] Apache-1.3.18
Date Fri, 09 Feb 2001 16:15:29 GMT
In my mind, it's a problem that should be fixed for the .18
release. Especially since it's one that we knew about and had
"thought" closed. I'm +1 for this!

Martin Kraemer wrote:
> 
> To clarify the analysis: the directory listing is shown if:
> 
> * mod_negotiation is enabled (Options +MultiViews)  AND
> 
> * the directory does NOT contain a file which has the name as
>   given in the DirectoryIndex directive (and therefore a scan is
>   performed to find a candidate with appropriate suffix)  AND
> 
> * the full path to the potential candidate exceeds the limit imposed
>   by the system (~1024)
> 
> That is the case for an apache server (1.3.10++, since Rev. 1.43 of
> httpd.conf-dist) when it is installed by default. But unless the end user
> really supplies multi-language variants, this may not be exploitable
> on a typical site.
> 
>    Martin
> -- 
> <Martin.Kraemer@Fujitsu-Siemens.com>    |       Fujitsu Siemens
>        <martin@apache.org>              |   81730  Munich,  Germany
> 


-- 
===========================================================================
   Jim Jagielski   [|]   jim@jaguNET.com   [|]   http://www.jaguNET.com/
          "Casanova will have many weapons; To beat him you will
              have to have more than forks and flatulence."

Mime
View raw message