httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Pane <bp...@pacbell.net>
Subject mod_include and POST
Date Thu, 23 Aug 2001 22:43:56 GMT
This bit of logic in includes_filter() in mod_include looks
like a security hole:

    if (r->method_number != M_GET) {
        return ap_pass_brigade(f->next, b);
    }

It's possible to see the unparsed content of a file by just POSTing to it...

--Brian



Mime
View raw message