httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reindl Harald <h.rei...@thelounge.net>
Subject Re: CVE-2003-1418 - still affects apache 2 current
Date Fri, 02 Sep 2011 07:49:09 GMT


Am 02.09.2011 09:39, schrieb Florian Weimer:
> * Reindl Harald:
> 
>> mtime -> well, is directly in the header -> Last-Modified
>> size -> well, directly in the header -> Content-Length
>> inode -> well, where is there any security implication?
> 
> I guess you could use it to form an NFS handle, and use that to bypass
> intended access restrictions.  But that's the fault of NFS, and systems
> which do not use cryptographic NFS handles probably use non-random or
> 32-bit inodes, which are open to guessing anyway

independend of the fact that i can guess it, it is really really not the problem
of httpd if some stupid guy has nFS opened on the internet


Mime
View raw message