httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reindl Harald <h.rei...@thelounge.net>
Subject MAJOR SECURITY-PROBLEM Apache 2.4.6
Date Mon, 16 Sep 2013 11:56:55 GMT
why in the world does Apache add the *sourcode* of the called PHP
script after the sepcified ErrorDocument? this is a major problem
and exactly *not* what should happen by a security option
________________________________________________

<Location "/cms.php">
 LimitRequestBody 10
</Location>

ErrorDocument 413 "<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'
'http://www.w3.org/TR/html4/loose.dtd'><html><head><title>Error 413 -
Request Entity Too Large</title><style
type='text/css'>* {font-family:Arial,Helvetica; text-decoration:none; font-size:16px;}
body {margin:0px;
padding:15px;}</style></head><body><h1 style='margin-top:0px; font-size:18px;'>Error
413</h1><p>Request Entity Too
Large / Anfrage zur Bearbeitung zu lang<br />Tech. Contact: <a
href='mailto:server-admins@thelounge.net?subject=Server-Error-413'>server-admins@thelounge.net</a></p></body></html>"
________________________________________________

OUTPUT TO THE BROWER (stripped, yes it adds the complete PHP sript)

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'
'http://www.w3.org/TR/html4/loose.dtd'><html><head><title>Error 413 -
Request Entity Too Large</title><style
type='text/css'>* {font-family:Arial,Helvetica; text-decoration:none; font-size:16px;}
body {margin:0px;
padding:15px;}</style></head><body><h1 style='margin-top:0px; font-size:18px;'>Error
413</h1><p>Request Entity Too
Large / Anfrage zur Bearbeitung zu lang<br />Tech. Contact: <a
href='mailto:admin@rhsoft.net?subject=Server-Error-413'>admin@rhsoft.net</a></p></body></html><?php
 /**
  CONTENT MANAGMENT SYSTEM / CONTENTLOUNGE
  ------------------------------------------------------------------
  AENDERUNGEN UND WEITERGABE DIESER DATEI OHNE RUECKSPRACHE MIT DEM
  ENTWICKLER SIND LIZENZRECHTLICH NICHT GESTATTET!
  ---------------------------------------------------


Mime
View raw message