[2211] in bugtraq
Re: httpd symlinks
daemon@ATHENA.MIT.EDU (Panzer Boy)
Thu Sep 7 16:42:09 1995
Date: Thu, 7 Sep 1995 04:11:39 -0400
Reply-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
From: Panzer Boy <panzer@dhp.com>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM>
Jon Lewis (jlewis@inorganic5.chem.ufl.edu) wrote:
: I was just fooling around and was shocked to find that
: SymLinksIfOwnerMatch is totally broken in the version of Apache I've been
: using. I created a symlink from a public_html dir to / and was able to
: see /. I downloaded/compiled the latest apache and did some testing of
: SymLinksIfOwnerMatch with various versions of httpd I had handy and found
: the following:
: NCSA 1.3 works, even on double symlinks
: Apache 0.6.2 works on symlinks, broken for double symlinks
: Apache 0.8.8 broken for symlinks and double symlinks
: Apache 0.8.11 works, even on double symlinks
Wildcards in access files was broken on 0.8.8, I'm not sure about
ealier. So even if you had "*/public_html*", homedirs wouldn't match...
--
-Matt (panzer@dhp.com) DI-1-9026
"That which can never be enforced should not be prohibited."
