httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@rowe-clan.net>
Subject Re: CGI Script Source Code Disclosure Vulnerability in Apache for Windows
Date Sun, 20 Aug 2006 19:27:16 GMT
Joshua Slive wrote:
> On 8/20/06, Carsten Wiedmann <carsten_sttgt@gmx.de> wrote:
> 
>> Ok. Then we can say: For some other reasons, it's not safe to make a
>> ScriptAlias inside DirectoryRoot on *nix (it only looks as if it's safe).
> 
> Yes, this is true.  *Alias* do not do the canonicalization necessary
> to assure they can't be bypassed.  That applies to any filesystem.
> The docs do make it clear in other places that the only safe way to
> protect content in the filesystem is using <Directory>.

Ding ding ding.  Now with some luck light bulbs will come on.

Alias / ScriptAlias have (1) function which is to point the URI space
into another filesystem space.  If the content is under DocumentRoot
there is no reason for alias.



Mime
View raw message