www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lauri Jesmin <jes...@ut.ee>
Subject mod_userdir/1701: UserDir and absoluthe path.
Date Tue, 20 Jan 1998 09:27:30 GMT

>Number:         1701
>Category:       mod_userdir
>Synopsis:       UserDir and absoluthe path.
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Tue Jan 20 01:30:00 PST 1998
>Originator:     jesmin@ut.ee
>Release:        1.2.5
This problem was discovered under RedHat 5.0 with linux 2.0.33 and also works
with irix 6.3. In both cases compiled with gcc. 
If we set UserDir to an absolute path (UserDir /home/web/ for example) then
apache just adds username to this directory (for ~foo is /home/web/foo). But
it's possible to give . or .. as username. So if you try to access ~. you can 
see the listing of UserDir (in our example /home/web)  if there is no index.html
or equivalent. And if we use .. as username, so we try to access ~.. in server, 
we can see one directory up from UserDir (/home in our example). If we use 
~../.. as username, the handling seems to be correct. 
Just set the UserDir to /tmp and watch your /tmp directory and / directory 
from browser. 
Probably check for username if UserDir is given as absolute path and if it is 
. or .. , deny access.
[In order for any reply to be added to the PR database, ]
[you need to include <apbugs@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED.  This is not done]
[automatically because of the potential for mail loops. ]

View raw message