Re: Apache HTTPD's magical behavior

From: Doru Petrescu (pdoruat_private)
Date: Fri Nov 30 2001 - 12:02:21 PST

Next message: Golden_Eternity: "RE: Apache HTTPD's magical behavior"

Previous message: Ryan Yagatich: "Re: Apache HTTPD's magical behavior"
In reply to: Russell Handorf: "Apache HTTPD's magical behavior"
Next in thread: Golden_Eternity: "RE: Apache HTTPD's magical behavior"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

ok, so ? ... I don't see the problem ...

at least with your example you get exactly the same thing, that is the '/'
but DO have access to it without the '/../' trick ... so you are actualy
stilling your own hat ... :-)

it seems to me that apache will FIRST rewrite the URL
from http://host/dir1/dir2/../ to http://host/dir1/
and THEN lookup the result into the disk ...

so, if you try http://dtp.kappa.ro/x/../ you will get the
http://dtp.kappa.ro/ even if 'x' dir doesn't exists ...

it seems to me like a feature: apache first cleans up the URI ...

as I said ... I don't see the problem ...

Best regards,
------
Doru Petrescu
KappaNet - Senior Software Engineer
E-mail: pdoruat_private		 LINUX - the choice of the GNU generation

On Fri, 30 Nov 2001, Russell Handorf wrote:

> Today I was browsing the Internet when I came across a server that would
> not let me view the contents of the root dir.
>
> However, it did let me view the contents of a dir within it's root dir. So
> I tried the following:
>
> http://>/<dir i can browse>../
>
> And for some reason it allowed me to view the root dir and all of its contents.
>
> Anyone else have this problem?
>
> I submit the following example.
>
> First, go to
>
> http://backbone.sourceforge.com
>
> now, go to
>
> http://backbone.sourceforge.net/mrtg-2.8.12/..		(Don't forget the '..'s)
>
> I know the server log's it as viewing the readable dir plus the /..	and
> that files within the root dir, once exposed via the '..', may have a
> problem with being downloaded. That is easily circumvented via adding in
> the file name after .. (ex: http://>/<dir>/../<file>
>
>
> russ
> ==================================
> Russell Handorf
> oooo, shiney ::Wanders after it::
>
> www.russells-world.com
> www.inside-aol.com
> www.terrorists.net
> www.bad-mother-fucker.org
> www.philly2600.net
>
> "Computer games don't affect kids, I mean if Pacman affected us as kids,
> we'd all be running around in darkened rooms, munching pills and listening
> to repetitive music." ~unknown
> ==================================
>

Next message: Golden_Eternity: "RE: Apache HTTPD's magical behavior"
Previous message: Ryan Yagatich: "Re: Apache HTTPD's magical behavior"
In reply to: Russell Handorf: "Apache HTTPD's magical behavior"
Next in thread: Golden_Eternity: "RE: Apache HTTPD's magical behavior"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Nov 30 2001 - 12:22:26 PST