ok, so ? ... I don't see the problem ... at least with your example you get exactly the same thing, that is the '/' but DO have access to it without the '/../' trick ... so you are actualy stilling your own hat ... :-) it seems to me that apache will FIRST rewrite the URL from http://host/dir1/dir2/../ to http://host/dir1/ and THEN lookup the result into the disk ... so, if you try http://dtp.kappa.ro/x/../ you will get the http://dtp.kappa.ro/ even if 'x' dir doesn't exists ... it seems to me like a feature: apache first cleans up the URI ... as I said ... I don't see the problem ... Best regards, ------ Doru Petrescu KappaNet - Senior Software Engineer E-mail: pdoruat_private LINUX - the choice of the GNU generation On Fri, 30 Nov 2001, Russell Handorf wrote: > Today I was browsing the Internet when I came across a server that would > not let me view the contents of the root dir. > > However, it did let me view the contents of a dir within it's root dir. So > I tried the following: > > http://>/<dir i can browse>../ > > And for some reason it allowed me to view the root dir and all of its contents. > > Anyone else have this problem? > > I submit the following example. > > First, go to > > http://backbone.sourceforge.com > > now, go to > > http://backbone.sourceforge.net/mrtg-2.8.12/.. (Don't forget the '..'s) > > I know the server log's it as viewing the readable dir plus the /.. and > that files within the root dir, once exposed via the '..', may have a > problem with being downloaded. That is easily circumvented via adding in > the file name after .. (ex: http:// >/<dir>/../<file> > > > russ > ================================== > Russell Handorf > oooo, shiney ::Wanders after it:: > > www.russells-world.com > www.inside-aol.com > www.terrorists.net > www.bad-mother-fucker.org > www.philly2600.net > > "Computer games don't affect kids, I mean if Pacman affected us as kids, > we'd all be running around in darkened rooms, munching pills and listening > to repetitive music." ~unknown > ================================== >
This archive was generated by hypermail 2b30 : Fri Nov 30 2001 - 12:22:26 PST