Matt Watchinski wrote: > # Name: Apache Artificially Long Slash Path Directory Listing Exploit > # Author: Matt Watchinski > # Ref: SecurityFocus BID 2503 > # > # Affects: Apache 1.3.17 and below Doh! From apache 1.3.x CHANGES file: Changes with Apache 1.3.18 [not released] *) SECURITY: The default installation could lead to mod_negotiation and mod_dir/mod_autoindex displaying a directory listing instead of the index.html.* files, if a very long path was created artificially by using many slashes. Now a 403 FORBIDDEN is returned. [Martin Kraemer] Of course, 1.3.19 _was_ released. Ages ago. Cheers, Ben. -- http://www.apache-ssl.org/ben.html "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff
This archive was generated by hypermail 2b30 : Thu Jun 14 2001 - 12:30:43 PDT