Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 51174 invoked from network); 19 Aug 2006 17:54:38 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 19 Aug 2006 17:54:38 -0000 Received: (qmail 89435 invoked by uid 500); 19 Aug 2006 17:54:30 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 89379 invoked by uid 500); 19 Aug 2006 17:54:29 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 89365 invoked by uid 99); 19 Aug 2006 17:54:29 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 19 Aug 2006 10:54:29 -0700 X-ASF-Spam-Status: No, hits=0.5 required=10.0 tests=DNS_FROM_RFC_ABUSE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (asf.osuosl.org: domain of jslive@gmail.com designates 66.249.82.238 as permitted sender) Received: from [66.249.82.238] (HELO wx-out-0506.google.com) (66.249.82.238) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 19 Aug 2006 10:54:25 -0700 Received: by wx-out-0506.google.com with SMTP id s19so995564wxc for ; Sat, 19 Aug 2006 10:54:04 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:sender:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=CdmP9HtduPOL3iSxDD9AWJ5g7iXRf1q3CdyioxXLpIdxKl8H6MFJDjNL75BW9s9h82MHc5bPRQzZDXaO9KK585a+xYgNOnEPz8vNWHdvJYaKQ8iqxvdMgLug2YFsAnuuFm8Ey+W47xFr3oFjXgs6r09QAdnNLotnuXpYkcmg+Nw= Received: by 10.70.125.2 with SMTP id x2mr6537401wxc; Sat, 19 Aug 2006 10:54:04 -0700 (PDT) Received: by 10.70.45.4 with HTTP; Sat, 19 Aug 2006 10:54:04 -0700 (PDT) Message-ID: Date: Sat, 19 Aug 2006 13:54:04 -0400 From: "Joshua Slive" Sender: jslive@gmail.com To: dev@httpd.apache.org, "Carsten Wiedmann" Subject: Re: CGI Script Source Code Disclosure Vulnerability in Apache for Windows In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: X-Google-Sender-Auth: b1dc765ce64a6dbe X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N On 8/19/06, Carsten Wiedmann wrote: [I don't agree with large chunks of what you wrote, but the crux of the matter is here:] > And why are sometimes (part of) the URI is case-sensitive and somtimes not > and what happens in consequence because of this behavior. And this behavior > is the only reason why it can be (on some systems) a problem to have the > ScriptAlias inside the DirectoryRoot. That last sentence is simply not true. Search the the bugtraq archives for all the other vulnerabilities in windows web servers caused by subtleties of the filesystem. It is not the job of *Alias* to deal with that; the *Alias* directives map a URL to the filesystem. If you want to protect things in the filesystem, you have . Yes, it would be nice if httpd could force the use of a canonical case on case-insensitive filesystems. It can be partially done with mod_rewrite. But that would not make it safe to use ScriptAlias in the way you want. Joshua.