[21450] in bugtraq
Re: How Google indexed a file with no external link
daemon@ATHENA.MIT.EDU (Kevin)
Tue Jul 10 12:57:08 2001
Date: Tue, 10 Jul 2001 11:11:44 -0400
From: Kevin <kevin@brasscannon.net>
To: bugtraq@securityfocus.com
Message-ID: <20010710111144.A30470@brasscannon.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20010710160615.A5914@globnix.org>; from Phil.Pennock@globnix.org on Tue, Jul 10, 2001 at 04:06:15PM +0200
The problem (at least in my case) has been resolved, so if you've been
checking my site you can stop now: ;-)
> > http://handsonhowto.com/?M=A
> > http://handsonhowto.com/?S=D
I now get the index.html page, as intended.
The fix was to take all the "Indexes" options out of my httpd.conf; all
of my docroots have index.html files (including one for the bare IP
address*), so I won't miss having it turned on.
*(This covers the case where someone hits the IP address instead of a
named virtual host; rather than defaulting to one page out of many, I
put up a "You are not here" page listing the named sites.)
This does appear to be an Apache bug, and now that we have a handle on
it, I'll report it as such.
The prize for the most code-oriented response:
> Looking at the Apache source: src/modules/standard/mod_autoindex.c
> we see:
> -----------------------------< cut here >-------------------------------
> /*
> * Define keys for sorting.
> */
> #define K_NAME 'N' /* Sort by file name (default) */
> #define K_LAST_MOD 'M' /* Last modification date */
> #define K_SIZE 'S' /* Size (absolute, not as displayed) */
> #define K_DESC 'D' /* Description */
>
> #define D_ASCENDING 'A'
> #define D_DESCENDING 'D'
> -----------------------------< cut here >-------------------------------
>
> It looks as though the auto-indexing ignores the existence of index.html
> if provided with params. This seems to be the QUERY_STRING handling in
> index_directory().
>
> I don't know Apache well enough, but I would suggest that the bit of the
> logic which handles "/" -> "/index.html" comes earlier in the parsing,
> before deciding to hand things off to mod_autoindex and that this first
> rewriting logic can't handle query-strings.
Suggestions about a quick-fix in httpd.conf were received from many
parties, and it worked immediately. My thanks to all.
