[1228] in bugtraq
put and delete functions in httpd
daemon@ATHENA.MIT.EDU (Dr. Frederick B. Cohen)
Sat Mar 11 13:34:58 1995
From: fc@all.net (Dr. Frederick B. Cohen)
To: bugtraq@fc.net
Date: Sat, 11 Mar 1995 12:09:41 -0500 (EST)
I was looking through the code to httpd and noticed the functions Put
and Delete - apparently using the same access controls as get, etc.
Does this mean the default is that anyone can delete and put replacement
files in http servers? I removed the code (to no negative effect) from
my httpd but didn't test to exercise the potential problem. I would be
interested to hear of anyone who tests and finds that outsiders can
modify their servers this way.
Also of interest - httpd produces error returns when you ask for a moved
file, etc. I modified our deamon to do a redirect to our home-page so
that users don't have to read error messages and try other URLs. It
seems to work well and eliminates a number of access control concerns
with people guessing URLs (any URL works - but you almost always get the
home page). Also, this seems to redirect programs looking at robots.txt.
I wonder how many of them fail from syntax errors?
FC
