httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Korey G." <ko...@awpg.com>
Subject Re: [Apache] script alias
Date Wed, 10 Jul 2002 21:59:31 GMT
I take it back,
  Apache wont allow script processing through sim links,
-Security Concerns
--Snip--

         It is also possible, in very rare conditions, for this to
         to be used to bypass htaccess files restricting access to
         a directory or file.  The only case where this can happen
         is if the attacker can form a request that results in the
         full path to the htaccess file being too long (on most
         systems, meaning over 1024 characters) yet the request for
         the protected file in the same directory is not too long.
         The only normal case where such an attack could be possible
         is if there is a symbolic link such as "somedir -> ."
         created in the document tree.
-- http://httpd.apache.org/info/security_bulletin_1.2.5.html
--Snip--




At 14:17 7/10/02 -0700, you wrote:
>But I see your point,
>  it would be interesting to run some benchmarks on the theory,
>I'll keep you updated,
>-Korey
>
>
>At 13:04 7/10/02 -0500, you wrote:
>>I'm interested in your comment.  I'm thinking like a unix programmer. . .
>>A symlink at the OS level seems more efficient than adding a logic 
>>instruction
>>to a HLL program, i.e., the httpd server.  In other words, the httpd has 
>>to go
>>through some if-then-else gyrations that are otherwise implicit at the OS 
>>level;
>>therefore, why not use a symbolic link?  Additionally, you can set (i.e., 
>>chmod)
>>permissions at the file level, rather than deal with the httpd allow/deny 
>>scenario,
>>granted that there may be some message handlling advantages that I'm not
>>taking into consideration.
>>
>>Ron W.
>>>----- Original Message -----
>>>From: <mailto:korey@awpg.com>Korey G.
>>>To: <mailto:users@httpd.apache.org>users@httpd.apache.org
>>>Sent: Wednesday, July 10, 2002 3:45 PM
>>>Subject: Re: [Apache] script alias
>>>
>>>no, because httpd.conf is tha bomb!
>>>symbolic linkage is a cop out
>>>
>>>At 12:41 7/10/02 -0500, you wrote:
>>> >Perhaps, create a symbolic link (assuming that you're runing on unix) to
>>> >the abbreviated spelling?
>>> >(. . .rather than deal with script aliases.)
>>> >>----- Original Message -----
>>> >>From: <<mailto:apache@swift-web.com>mailto:apache@swift-web.com>Jason
>>> >>To: 
>>> <<mailto:users@httpd.apache.org>mailto:users@httpd.apache.org><mailto:users@httpd.apache.org>users@httpd.apache.org
>>> >>Sent: Wednesday, July 10, 2002 12:22 PM
>>> >>Subject: RE: [Apache] script alias
>>> >>
>>> >> > -> How do I make a script alias so that I can do this:
>>> >> > ->
>>> >> > -> pull up mydomain.com/script.cgi
>>> >> > -> when its actually located
>>> >> > -> in mydomain.com/cgi-bin/script.cgi
>>> >> >
>>> >> > why?
>>> >>
>>> >>I wondered the same thing only reducing it a bit further than the above
>>> >>example.  My reasons were to shorten
>>> >>domain.com/cgi-bin/webmailprogram.cgi
>>> >>to
>>> >>domain.com/webmail
>>> >>
>>> >>Is that possible and if so does it open up major security issues?
>>> >>-Jay
>>> >>
>>> >>
>>> >>
>>> >>---------------------------------------------------------------------
>>> >>To unsubscribe, e-mail:
>>> >><<mailto:users-unsubscribe@httpd.apache.org>mailto:users-unsubscribe@h

>>> t 
>>> tpd.apache.org><mailto:users-unsubscribe@httpd.apache.org>users-unsubscribe@httpd.apache.org
>>> >>For additional commands, e-mail:
>>> >><<mailto:users-help@httpd.apache.org>mailto:users-help@httpd.apache.or

>>> g  ><mailto:users-help@httpd.apache.org>users-help@httpd.apache.org
>>>
>>>
>>>---------------------------------------------------------------------
>>>To unsubscribe, e-mail: 
>>><mailto:users-unsubscribe@httpd.apache.org>users-unsubscribe@httpd.apache.org
>>>For additional commands, e-mail: 
>>><mailto:users-help@httpd.apache.org>users-help@httpd.apache.org
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message