Apache HTTPD's magical behavior
From: Russell Handorf (rhandorfat_private-world.com)
Date: Fri Nov 30 2001 - 09:04:01 PST
Next message: Ryan Yagatich: "Re: Apache HTTPD's magical behavior"
Today I was browsing the Internet when I came across a server that would
not let me view the contents of the root dir.
However, it did let me view the contents of a dir within it's root dir. So
I tried the following:
http://>/<dir i can browse>../
And for some reason it allowed me to view the root dir and all of its contents.
Anyone else have this problem?
I submit the following example.
First, go to
http://backbone.sourceforge.com
now, go to
http://backbone.sourceforge.net/mrtg-2.8.12/.. (Don't forget the '..'s)
I know the server log's it as viewing the readable dir plus the /.. and
that files within the root dir, once exposed via the '..', may have a
problem with being downloaded. That is easily circumvented via adding in
the file name after .. (ex: http://>/<dir>/../<file>
russ
==================================
Russell Handorf
oooo, shiney ::Wanders after it::
www.russells-world.com
www.inside-aol.com
www.terrorists.net
www.bad-mother-fucker.org
www.philly2600.net
"Computer games don't affect kids, I mean if Pacman affected us as kids,
we'd all be running around in darkened rooms, munching pills and listening
to repetitive music." ~unknown
==================================
This archive was generated by hypermail 2b30
: Fri Nov 30 2001 - 11:37:35 PST