httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Kew <>
Subject Re: [users@httpd] mod_xsendfile and security issues
Date Thu, 24 Aug 2006 14:36:26 GMT
On Thursday 24 August 2006 12:12, Jose Adriano Baltieri wrote:

> However, Apache DOES NOT remove or "swallows" the x-sendfile header. It
> will go along to client side, revealing to client side my internal file
> system paths.

Does Header Unset x-sendfile have any effect?

> I think this is a severe security vulnerability.

Well, it may be unwanted, but to be a secure security
vulnerability seems to imply that security depends on

> Can you notice the same problem ?

I don't expect many people here use that module.
Have you asked its developer?

Nick Kew

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message