[8997] in bugtraq
Re: HTTP REQUEST_METHOD flaw
daemon@ATHENA.MIT.EDU (Kragen Sitaker)
Fri Jan 8 17:47:09 1999
Date: Thu, 7 Jan 1999 16:40:26 -0500
Reply-To: Kragen Sitaker <kragen@POBOX.COM>
From: Kragen Sitaker <kragen@POBOX.COM>
X-To: Marc Slemko <marcs@ZNEP.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.BSF.4.05.9901060947570.11644-100000@alive.znep.com>
On Wed, 6 Jan 1999, Marc Slemko wrote:
(on <Limit GET POST>)
> This certainly isn't a new issue, and certainly isn't anything that hasn't
> been said over and over, and isn't a bug in Apache but a bug in a user's
> configuration, but people still seem to have trouble getting the message.
This is because many people are still using web pages that tell how to
configure circa-1995 NCSA httpd when they want to find out how to
configure Apache, or fix their config files.
An AltaVista search for limit-get-post finds 589 web pages -- including
http://www.apache.kr.net/ in an example access.conf! -- so probably
several times that many old web pages, memories, hastily jotted notes,
and documents around the world are providing faulty information to new
admins.
The only real solution will be to make a non-backwards-compatible
change, perhaps changing the name of the <Limit> directive.
(I'm reminded of a particular brand of small plane that used to keep
crashing with fuel-system problems on landing. Why? The fuel shutoff
valve handle was located where the internal heating-system shutoff
valve handle was located on another brand of small planes. Pilots
would reach up to turn off the heat as they approached -- the better to
be more alert -- and would then discover that the engines no longer
worked.)
--
<kragen@pobox.com> Kragen Sitaker <http://www.pobox.com/~kragen/>
[around 1998-12-23], it is amazing to watch fear and loathing and greed at
play with the more speculative Internet stocks. To call this a tulip
craze would be a vast understatement. -- Adam Rifkin, <adam@cs.caltech.edu>
