www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andreas Heilwagen <hostmas...@netguru.org>
Subject config/1927: Get full access to apache installation path by misusing https
Date Tue, 10 Mar 1998 10:13:47 GMT
Hello,

marc@hyperreal.org wrote:
> 
> First, we have nothing to do with the SSL patches so we can not
> do anything about them.  Can you reproduce this problem without
> them?

The point is, that you need the https support to drop to an unwanted
http server which is not configured. I do not know how the module
stuff exactly works, but I think the SSL module fails to check if
the mentioned problem occurs. On the other hand there could be a
reason to check for unconfigured URLs in the apache code to get
on the safe side concerning new modules.

I will send information on this problem to the SSL guy. So you will
not loose any time in implementing new code and tracking more important
problems.

> What path are you talking about?  ie. what define in
> httpd.h is set to it?  What is your DocumentRoot
> set to in your main server config?  ie. not any virtualhost.

I had my DocumentRoot set to the installpath of apache. After
recompiling the code it points to a location where nobody can
get any files and only gets a short go-away message. To set
it to the point where the virtual servers stuff lives would be
no good idea.

> Exactly what you are saying is the problem isn't really
> clear.  I don't see how adding an index.html file would
> help anything if what you explain is correct; then all they
> have to do is guess the name of what they want, which isn't
> too hard.

You're right, there were too many things I had to handle at once
in that moment. Especially that guy who told us that he "attacked"
us successfully was not a nice one. I had to find a quick solution
to block him from accessing more files. I don't think that he got
the interesting non-standard parts of directory/file structure.

Bye,
  Andreas Heilwagen.

    _   __     __  ______
   / | / /__  / /_/ ____/_  _________  __    ____  _________ _
  /  |/ / _ \/ __/ / __/ / / / ___/ / / /   / __ \/ ___/ __ `/
 / /|  /  __/ /_/ /_/ / /_/ / /  / /_/ / _ / /_/ / /  / /_/ /
/_/ |_/\___/\__/\____/\__,_/_/   \__,_/ (_)\____/_/   \__, /
e-mail: <hostmaster@netguru.org>  http://netguru.org /____/

Mime
View raw message