[22619] in bugtraq
Re: More security problems in Apache on Mac OS X
daemon@ATHENA.MIT.EDU (Jeremey A. Mates)
Wed Sep 12 00:33:26 2001
Date: Tue, 11 Sep 2001 19:01:09 -0700
From: "Jeremey A. Mates" <jmates@sial.org>
To: bugtraq@securityfocus.com
Message-ID: <20010911190109.A29313@darkness.sial.org>
Mail-Followup-To: "Jeremey A. Mates" <jmates@darkness.sial.org>,
bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <sb9e2faf.002@siskiyou.sou.edu>
* Paul Lieberman <lieb@sou.edu> [2001-09-11 16:46:59]:
> This matches any file that starts with a period and seems to do the
> trick. I can't think of an instance where you'd want a hidden file
> to display on the web. Am I missing something?
Yes; I block all dot files by default on my webservers, and ran into a
recent problem where a particular site used Server Side Includes (SSI)
to reference ".lastupdate" files via "#include virtual" statements.
The site stopped working when moved under my webserver, due to the SSI
invoking a full lookup on the URI, which was blocked due to the
dot-file restriction.
Just something to keep in mind...
--
Jeremy Mates http://www.sial.org/
"You cannot control, only catch." -- Tsung Tsai
