httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joshua Slive <jos...@slive.ca>
Subject Re: [users@httpd] Redirect for the "..\.." Security Issue
Date Thu, 06 Nov 2003 17:46:40 GMT

On Thu, 6 Nov 2003, Strader, William Alexander (WAX) wrote:

> Does anyone know how to redirect that "..\.." security issue to a 404
> page... We are undergoing a security Audit and they keep freaking out cause
> if they goto http://webserver/somedir/..\..\..\..\..\etc\passwd they see a
> directory listing.  The directory listing they see is the same as if they
> goto http://webserver/somedir/  which is supposed to be there.... So it
> isn't a security issue but everytime they get a 200 vs a 404 when they do a
> "..\.." they freak out... Anyone know of a way to send them to 404 or
> something?

<LocationMatch \.\.>
Order allow,deny
Deny from all
</Location>

Might do the trick.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message