[22031] in bugtraq
Re: Apache Artificially Long Slash Path Directory ListingVulnera
daemon@ATHENA.MIT.EDU (Seva Gluschenko)
Tue Jul 31 13:07:23 2001
Date: Tue, 31 Jul 2001 11:56:49 +0400 (MSD)
From: Seva Gluschenko <gvs@rinet.ru>
To: Ken <ka@pacific.net>
Cc: <bugtraq@securityfocus.com>
In-Reply-To: <3B658AAC.5511EAB0@pacific.net>
Message-ID: <20010731115238.Y36053-100000@localhost>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message from Ken at Jul 30 09:26 in parts:
K> Tested & Vulnerable apache 1.3.4 on bsdi 4.0
K> Turned off "MultiViews" & now we're not vulnerable.
K> Multiviews controls content negotiation, so you could have some problems
K> if you have multilingual customer base, but this isn't much of an issue
K> for us.
K> This is the easy fix, yes?
The most easiest, due and secure way to fix that is to upgrade Apache
server to the fixed version, as it did the person who reported below.
This is a generally bad idea to test vulnerabilities of older versions
and proudly report it to Bugtraq when anybody may get the most correct
information from Release Notes @ www.apache.org
K> > >I was unable to reproduce it on Apache 1.3.20/PHP4.0.6/mysql-3.23.36 on
K> > >Slackware 7.0.
SY, Seva Gluschenko, just stranger on The Road. | http://gvs.rinet.ru/
Cronyx Plus / RiNet network administrator. | GVS-RIPE | GVS3-RIPN
