www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dan Stevenson <dani...@media.mit.edu>
Subject general/2030: spelling error possibilities include files that shouldn't be seen
Date Thu, 02 Apr 1998 19:05:44 GMT

>Number:         2030
>Category:       general
>Synopsis:       spelling error possibilities include files that shouldn't be seen
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Thu Apr  2 11:10:01 PST 1998
>Last-Modified:
>Originator:     daniels@media.mit.edu
>Organization:
apache
>Release:        1.3b5
>Environment:
Sun Solaris 2.5
from uname -a:
SunOS barrett-1 5.5.1 Generic_103640-12 sun4m sparc SUNW,SPARCstation-5
>Description:
When the client requests a URL that does not exist, and mod_speling cannot
find a single replacement, it lists many possibilities (code 300, multiple
choices). Those include URLs
that, when selected, generate 403 (or other) errors because they are forbidden.
In fact, the read permissions are such that the user that runs the httpd
(nobody) should be unable to see the files.
>How-To-Repeat:
http://classics.mit.edu/Tacitus/histories.123.html

the files ending in .gz have file permissions 400, where the owner is not
the userid of the httpd.
>Fix:

>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, ]
[you need to include <apbugs@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED.  This is not done]
[automatically because of the potential for mail loops. ]




Mime
View raw message