httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jose Adriano Baltieri <>
Subject [users@httpd] mod_xsendfile and security issues
Date Thu, 24 Aug 2006 11:12:21 GMT
I'm using mod_xsendfile 
( with Apache 2.0.58 
on Windows.

My scripts are issuing the x-sendfile http header and, Apache is 
interpreting it correctly, sending the designated file path to the 
client. So far, so good.

However, Apache DOES NOT remove or "swallows" the x-sendfile header. It 
will go along to client side, revealing to client side my internal file 
system paths.

I think this is a severe security vulnerability.

Can you notice the same problem ?

If not:

- Which Apache version are you using ?
- How are your scripts issuing the headers, that is, how are them spelt 
and in which order ?

If you're having the same problem:

- How can we fix it ?

Thanks in advance for you help !

                Jose Adriano Baltieri - Analista de Sistemas
                DTI - CENTRO - UNIMEP - Universidade Metodista de Piracicaba
                PIRACICABA - SP - Brasil - Fone : (19) 3124-1858

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message