httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jose Adriano Baltieri <jabal...@unimep.br>
Subject [users@httpd] mod_xsendfile and security issues
Date Thu, 24 Aug 2006 11:12:21 GMT
I'm using mod_xsendfile 
(http://celebnamer.celebworld.ws/stuff/mod_xsendfile) with Apache 2.0.58 
on Windows.

My scripts are issuing the x-sendfile http header and, Apache is 
interpreting it correctly, sending the designated file path to the 
client. So far, so good.

However, Apache DOES NOT remove or "swallows" the x-sendfile header. It 
will go along to client side, revealing to client side my internal file 
system paths.

I think this is a severe security vulnerability.

Can you notice the same problem ?

If not:

- Which Apache version are you using ?
- How are your scripts issuing the headers, that is, how are them spelt 
and in which order ?

If you're having the same problem:

- How can we fix it ?

Thanks in advance for you help !


-- 
Obrigado,
------------------------------------------------------------------------------
                Jose Adriano Baltieri - Analista de Sistemas
                DTI - CENTRO - UNIMEP - Universidade Metodista de Piracicaba
                PIRACICABA - SP - Brasil - Fone : (19) 3124-1858
------------------------------------------------------------------------------


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message