httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Kew <n...@webthing.com>
Subject Re: [users@httpd] mod_xsendfile and security issues
Date Thu, 24 Aug 2006 14:36:26 GMT
On Thursday 24 August 2006 12:12, Jose Adriano Baltieri wrote:

> However, Apache DOES NOT remove or "swallows" the x-sendfile header. It
> will go along to client side, revealing to client side my internal file
> system paths.

Does Header Unset x-sendfile have any effect?

> I think this is a severe security vulnerability.

Well, it may be unwanted, but to be a secure security
vulnerability seems to imply that security depends on
obscurity.

> Can you notice the same problem ?

I don't expect many people here use that module.
Have you asked its developer?

-- 
Nick Kew

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message