httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joshua Slive" <jos...@slive.ca>
Subject Re: CGI Script Source Code Disclosure Vulnerability in Apache for Windows
Date Sat, 19 Aug 2006 17:54:04 GMT
On 8/19/06, Carsten Wiedmann <carsten_sttgt@gmx.de> wrote:

[I don't agree with large chunks of what you wrote, but the crux of
the matter is here:]

> And why are sometimes (part of) the URI is case-sensitive and somtimes not
> and what happens in consequence because of this behavior. And this behavior
> is the only reason why it can be (on some systems) a problem to have the
> ScriptAlias inside the DirectoryRoot.

That last sentence is simply not true.  Search the the bugtraq
archives for all the other vulnerabilities in windows web servers
caused by subtleties of the filesystem.
It is not the job of *Alias* to deal with that; the *Alias* directives
map a URL to the filesystem.  If you want to protect things in the
filesystem, you have <Directory>.

Yes, it would be nice if httpd could force the use of a canonical case
on case-insensitive filesystems.  It can be partially done with
mod_rewrite.  But that would not make it safe to use ScriptAlias in
the way you want.

Joshua.

Mime
View raw message