Re: Bugtraq ID 2503 : Apache Artificially Long Slash Path Directory Listing Exploit

From: Ben Laurie (benat_private)
Date: Thu Jun 14 2001 - 08:54:01 PDT

Next message: Alexander K. Yezhov: "Anonymized ? Not yet. - Part II"

Previous message: Michael Bryan: "Re: Microsoft Security Bulletin MS01-030"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Matt Watchinski wrote:
> # Name: Apache Artificially Long Slash Path Directory Listing Exploit
> # Author: Matt Watchinski
> # Ref: SecurityFocus BID 2503
> #
> # Affects: Apache 1.3.17 and below

Doh! From apache 1.3.x CHANGES file:

Changes with Apache 1.3.18 [not released]

  *) SECURITY: The default installation could lead to mod_negotiation
     and mod_dir/mod_autoindex displaying a directory listing instead of
     the index.html.* files, if a very long path was created
artificially
     by using many slashes. Now a 403 FORBIDDEN is returned.
     [Martin Kraemer]
     
Of course, 1.3.19 _was_ released. Ages ago.

Cheers,

Ben.


--
http://www.apache-ssl.org/ben.html

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

Next message: Alexander K. Yezhov: "Anonymized ? Not yet. - Part II"
Previous message: Michael Bryan: "Re: Microsoft Security Bulletin MS01-030"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jun 14 2001 - 12:30:43 PDT