httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Frazier>
Subject Re: [users@httpd] Security vulnerability on Apache web server
Date Wed, 10 Sep 2003 02:31:47 GMT

Did you by any chance recently buy a Verisign cert? 

1. is complete crap unless you are running as root or doing something else
to mess up the default config.
2. I am not as sure about, I have heard of it before, but don't know of any
particular real exploit with 1.3


At 12:29 PM 9/10/03 +0800, Cui Xiaojing-a13339 wrote:
>Hello All,
>I was reported two security vulnerability on Apache web server, please see
below. Could please give me a help about how to solve the problem. It is
urgent. My Apache version is 1.3. Thanks a lot.
>1. rootdotdot: HTTP "dot dot" sequences 
>Additional Information More Information
>Port 8080
>An attacker can traverse directories on vulnerable Web servers by using
"dot dot" sequences in URLs, allowing the attacker to read any
>file on the target HTTP server that is world-readable or readable by the ID
of the HTTP process. For example, a URL of the form
>(\..) allows anyone to browse and download files
outside of the Web server content root directory. URLs such as
>(\..\) script-name could allow an attacker
to execute the target script. An attacker can use a listing of this
>directory as additional information for planning a structured attack, or
could download files elsewhere in the file system.
>2.HttpTraceEnabled: HTTP TRACE is enabled 
>Additional Information More Information
>HTTP TRACE support is enabled on the Web server. The HTTP TRACE method as
described in RFC 2516 of the HTTP 1.1 standard is
>typically used for debugging and network analysis purposes to request the
contents of HTTP request messages received by the Web
>server. On Web servers with HTTP TRACE support enabled, a remote attacker
could leverage this functionality with known cross-site
>scripting and other Web browser vulnerabilities to obtain sensitive
information about the Web server, including server cookies and
>authentication information. This information could then be used by the
attacker to launch further attacks against the affected Web server.
>The official User-To-User support forum of the Apache HTTP Server Project.
>See <URL:> for more info.
>To unsubscribe, e-mail:
>   "   from the digest:
>For additional commands, e-mail:

(250) 655 - 9513 (PST Time Zone)

"Inquiry is fatal to certainty." -- Will Durant 

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message