BugTraq
Back to list
|
Post reply
Re: BUG IN APACHE HTTPD SERVER (current version 2.0.47)
Feb 03 2004 11:37PM
langtuhaohoa caothuvolam (trungonly yahoo com)
(1 replies)
Re: BUG IN APACHE HTTPD SERVER (current version 2.0.47)
Feb 04 2004 06:07PM
André Malo (nd perlig de)
(1 replies)
* langtuhaohoa caothuvolam <trungonly (at) yahoo (dot) com [email concealed]> wrote:
> Deny From All: In this way they can access from outside the server.
You mean: An attacker needs to place such a script on the server, which
includes the requested uri.
If he's able to do so, he can
(a) read the file anyway
(b) simply open it from inside the script using normal file operations.
I cannot see a vuln here. If he's able to take the actions described above,
one has *real* trouble on the server.
This seems to me the same topic as the mod_perl hijacking. If you don't trust
your users, don't let them execute code from inside the server.
nd
[ reply ]
Re: BUG IN APACHE HTTPD SERVER (current version 2.0.47)
Feb 04 2004 11:55PM
Dan Yefimov (dan integrate com ru)
(3 replies)
Re: BUG IN APACHE HTTPD SERVER (current version 2.0.47)
Feb 06 2004 04:47PM
Tyler Larson (noreply tlarson com)
Re: BUG IN APACHE HTTPD SERVER (current version 2.0.47)
Feb 06 2004 02:54PM
Todd C. Campbell (todd campbell core com)
Re: BUG IN APACHE HTTPD SERVER (current version 2.0.47)
Feb 06 2004 05:41AM
Seth Arnold (sarnold wirex com)
Privacy Statement
Copyright 2010, SecurityFocus
> Deny From All: In this way they can access from outside the server.
You mean: An attacker needs to place such a script on the server, which
includes the requested uri.
If he's able to do so, he can
(a) read the file anyway
(b) simply open it from inside the script using normal file operations.
I cannot see a vuln here. If he's able to take the actions described above,
one has *real* trouble on the server.
This seems to me the same topic as the mod_perl hijacking. If you don't trust
your users, don't let them execute code from inside the server.
nd
[ reply ]