Bugtraq mailing list archives
put and delete functions in httpd
From: fc () all net (Dr. Frederick B. Cohen)
Date: Sat, 11 Mar 1995 12:09:41 -0500 (EST)
I was looking through the code to httpd and noticed the functions Put and Delete - apparently using the same access controls as get, etc. Does this mean the default is that anyone can delete and put replacement files in http servers? I removed the code (to no negative effect) from my httpd but didn't test to exercise the potential problem. I would be interested to hear of anyone who tests and finds that outsiders can modify their servers this way. Also of interest - httpd produces error returns when you ask for a moved file, etc. I modified our deamon to do a redirect to our home-page so that users don't have to read error messages and try other URLs. It seems to work well and eliminates a number of access control concerns with people guessing URLs (any URL works - but you almost always get the home page). Also, this seems to redirect programs looking at robots.txt. I wonder how many of them fail from syntax errors? FC
Current thread:
- put and delete functions in httpd Dr. Frederick B. Cohen (Mar 11)