On Sat, 22 Jun 2002, Jedi/Sector One wrote: > SetEnv DATE_LOCALE "******************************************..." While this apparently is not an issue with "AllowOverride none" (I think that's the default configuration for user-writable directories), and typically, having different, execution-related AllowOverride settings means you are a less or more trusted user, most likely can execute code with Apache UID, there are still some interesting consequences of exploiting a buffer overflow in the child process - for example, getting write access to logs. Probably worth investigating. -- _____________________________________________________ Michal Zalewski [lcamtufat_private] [security] [http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};: =-=> Did you know that clones never use mirrors? <=-= http://lcamtuf.coredump.cx/photo/
This archive was generated by hypermail 2b30 : Sat Jun 22 2002 - 12:49:32 PDT