Bugtraq mailing list archives

Re: Apache Artificially Long Slash Path Directory ListingVulnera bility -- FILE READ ACCESS

From: Seva Gluschenko <gvs () rinet ru>
Date: Tue, 31 Jul 2001 11:56:49 +0400 (MSD)

Message from Ken at Jul 30 09:26 in parts:

K> Tested & Vulnerable apache 1.3.4 on bsdi 4.0
K> Turned off "MultiViews" & now we're not vulnerable.
K> Multiviews controls content negotiation, so you could have some problems
K> if you have multilingual customer base, but this isn't much of an issue
K> for us.
K> This is the easy fix, yes?

The most easiest, due and secure way to fix that is to upgrade Apache
server to the fixed version, as it did the person who reported below.
This is a generally bad idea to test vulnerabilities of older versions
and proudly report it to Bugtraq when anybody may get the most correct
information from Release Notes @ www.apache.org

K> > >I was unable to reproduce it on Apache 1.3.20/PHP4.0.6/mysql-3.23.36 on
K> > >Slackware 7.0.

SY, Seva Gluschenko, just stranger on The Road. | http://gvs.rinet.ru/
Cronyx Plus / RiNet network administrator.      | GVS-RIPE | GVS3-RIPN

Current thread:

RE: Apache Artificially Long Slash Path Directory Listing Vulnera bility -- FILE READ ACCESS Brian Dinello (Jul 27)
- Re: Apache Artificially Long Slash Path Directory Listing Vulnera bility -- FILE READ ACCESS Andreas Schmitz (Jul 28)
- Re: Apache Artificially Long Slash Path Directory Listing Vulnera bility -- FILE READ ACCESS Phil Stracchino (Jul 28)
  - Re: Apache Artificially Long Slash Path Directory Listing Vulnera bility -- FILE READ ACCESS peter . allen (Jul 28)
    - Re: Apache Artificially Long Slash Path Directory ListingVulnera bility -- FILE READ ACCESS Ken (Jul 30)
    - Re: Apache Artificially Long Slash Path Directory ListingVulnera bility -- FILE READ ACCESS Seva Gluschenko (Jul 31)
- RE: Apache Artificially Long Slash Path Directory Listing Vulnerability -- FILE READ ACCESS Chip McClure (Jul 28)