[22008] in bugtraq
Re: Apache Artificially Long Slash Path Directory ListingVulnera bility
daemon@ATHENA.MIT.EDU (Ken)
Mon Jul 30 15:31:25 2001
Message-ID: <3B658AAC.5511EAB0@pacific.net>
Date: Mon, 30 Jul 2001 09:26:20 -0700
From: Ken <ka@pacific.net>
MIME-Version: 1.0
Cc: bugtraq@securityfocus.com
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Tested & Vulnerable apache 1.3.4 on bsdi 4.0
Turned off "MultiViews" & now we're not vulnerable.
Multiviews controls content negotiation, so you could have some problems
if you have multilingual customer base, but this isn't much of an issue
for us.
This is the easy fix, yes?
Ken
peter.allen@moon-light.co.uk wrote:
>
> According to Bugtraq it only applies to Apache 1.3.17 and lower.
>
> HTH
>
> Peter
>
> At 15:43 27/07/01 -0700, Phil Stracchino wrote:
> >On Fri, Jul 27, 2001 at 06:12:11PM -0400, Brian Dinello wrote:
> > >
> > >
> > > As we don't have access to all versions of Apache on all platforms, I can't
> > > say for certain that this will work on all of them. The version that we
> > > have successfully tested on with 100% consistency is Apache 1.3.12 on
> > NT4.
> > >
> > > Please let me know if you duplicate this success on any other platforms.
> >
> >I was unable to reproduce it on Apache 1.3.20/PHP4.0.6/mysql-3.23.36 on
> >Slackware 7.0.
> >
> >
> >--
> > Linux Now! ..........Because friends don't let friends use Microsoft.
> > phil stracchino -- the renaissance man -- mystic zen biker geek
> > alaric@babcom.com halmayne@sourceforge.net
> > 2000 CBR929RR, 1991 VFR750F3 (foully murdered), 1986 VF500F (sold)
