httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tony Finch <...@dotat.at>
Subject Re: cvs commit: httpd-2.0/docs/manual/vhosts fd-limits.html.en
Date Sun, 16 Jun 2002 22:00:58 GMT
On Sat, Jun 15, 2002 at 10:15:17PM -0400, Joshua Slive wrote:
> Rich Bowen wrote:
> > 
> > Can you elaborate on that? Why would the vhost name ever have a slash in
> > it? I can see that it could be a security problem, but how would one
> > ever get in there?

Script kiddies.

> I guess you can put pretty much whatever you like in the Host: header. 
> It is not a major security whole, in my opinion, but it is better not 
> allowed.  Cliff just checked in a fix to get rid of the problem in 
> httpd-2.0.

Before this hole was fixed in 1.3 it exposed the password file etc.

Tony.
-- 
f.a.n.finch <dot@dotat.at> http://dotat.at/
IRISH SEA: SOUTHERLY 5 TO 7, OCCASIONALLY GALE 8. RAIN THEN FAIR. MODERATE
WITH FOG PATCHES BECOMING GOOD.

---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org


Mime
View raw message