[21021] in bugtraq
Re: Bugtraq ID 2503 : Apache Artificially Long Slash Path Directory
daemon@ATHENA.MIT.EDU (Ben Laurie)
Thu Jun 14 15:29:57 2001
Message-ID: <3B28DE19.8DD74E6B@algroup.co.uk>
Date: Thu, 14 Jun 2001 16:54:01 +0100
From: Ben Laurie <ben@algroup.co.uk>
MIME-Version: 1.0
To: Bugtraq <BUGTRAQ@securityfocus.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Matt Watchinski wrote:
> # Name: Apache Artificially Long Slash Path Directory Listing Exploit
> # Author: Matt Watchinski
> # Ref: SecurityFocus BID 2503
> #
> # Affects: Apache 1.3.17 and below
Doh! From apache 1.3.x CHANGES file:
Changes with Apache 1.3.18 [not released]
*) SECURITY: The default installation could lead to mod_negotiation
and mod_dir/mod_autoindex displaying a directory listing instead of
the index.html.* files, if a very long path was created
artificially
by using many slashes. Now a 403 FORBIDDEN is returned.
[Martin Kraemer]
Of course, 1.3.19 _was_ released. Ages ago.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
