httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joshua Slive" <>
Subject Re: CGI Script Source Code Disclosure Vulnerability in Apache for Windows
Date Sat, 19 Aug 2006 13:42:16 GMT
On 8/19/06, Carsten Wiedmann <> wrote:
> Why is it really bad to have a ScriptAlias inside the DocumentRoot? It's
> only another file system location. And it's only one line in the config file
> instead of four. You have only a problem because of the "unexpected"
> behavior of httpd with case-insensitive/case-preserved file systems ;-) And
> on Windows, the simplest way to make a consistent behavior with URI's is to
> have a alias match case-insensitive.

You seemed to miss the second part of my message, where I pointed out
that there are multiple ways to "skip around" aliases if they point to
directories that are otherwise accessible from the filesystem.  For
example, a request for //cgi-bin/file.cgi might work (I haven't tested
it) or using one of the other "funny" characteristics of the windows
filesystem that make multiple URLs point to the same filesystem
location.  That is why if you want to restrict access to a filesystem
location, you need to use <Directory>, which knows about all these
funny things.


View raw message