[33418] in bugtraq
Re: BUG IN APACHE HTTPD SERVER (current version 2.0.47)
daemon@ATHENA.MIT.EDU (langtuhaohoa caothuvolam)
Wed Feb 4 13:38:20 2004
Date: 3 Feb 2004 23:37:42 -0000
Message-ID: <20040203233742.15063.qmail@www.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: langtuhaohoa caothuvolam <trungonly@yahoo.com>
To: bugtraq@securityfocus.com
In-Reply-To: <20040203063933.12546429.nd@perlig.de>
>From: =?ISO-8859-15?Q?Andr=E9?= Malo <nd@perlig.de>
>
>
>Deny from all (in conclusion with some other) denies HTTP access on some
>criteria. It doesn't suppose to protect against access from inside the
>server.
>
Deny From All: In this way they can access from outside the server.
AllowOverride FileInfo (only): Apache must suppose to protect against .htaccess override from inside the server.
In fact, Apache should check for config permission again in the ap_process_request_internal() function.
>
>> I post this issue in the public mailing list, because I think this
>> vuln is not exploitable by a remote attacker. If something were
>> wrong, drop a line to me.
>
>Next time, try a user support forum first. Thanks.
>
>nd
>
I think it's a vuln, in fact I confirmed someones for that. Then I post it into a bug-tracker list instead of in a user support forum. Thanks for your comment.
