[1332] in WWW Security List Archive


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: NCSA Httpd Security Hole

daemon@ATHENA.MIT.EDU (Brian Behlendorf)
Fri Dec 22 22:34:27 1995

Date: Fri, 22 Dec 1995 14:45:07 -0800 (PST)
From: Brian Behlendorf <brian@organic.com>
To: David Pratt <dpratt@msc.edu>
cc: www-security@ns2.rutgers.edu
In-Reply-To: <199512221603.KAA11605@uh.msc.edu>
Errors-To: owner-www-security@ns2.rutgers.edu


On Fri, 22 Dec 1995, David Pratt wrote:
...
>      URL:    http://www.foo.com//cgi-bin/
>      URL:    http://www.foo.com///cgi-bin/man.pl
...


Apache 1.0 is also free from this hole.  From the CHANGELOG:

>   *) Allowed any number of '/' characters to match a single '/' when
>      checking for Aliases; this keeps certain ScriptAlias directives
>      from getting bypassed.  [Robert Thau]

	Brian

--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
brian@organic.com  brian@hyperreal.com  http://www.[hyperreal,organic].com/


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[1332] in WWW Security List Archive

Re: NCSA Httpd Security Hole

daemon@ATHENA.MIT.EDU (Brian Behlendorf)Fri Dec 22 22:34:27 1995

daemon@ATHENA.MIT.EDU (Brian Behlendorf)
Fri Dec 22 22:34:27 1995