Bugtraq mailing list archives
Re: BUG IN APACHE HTTPD SERVER (current version 2.0.47)
From: langtuhaohoa caothuvolam <trungonly () yahoo com>
Date: 3 Feb 2004 23:37:42 -0000
In-Reply-To: <20040203063933.12546429.nd () perlig de>
From: =?ISO-8859-15?Q?Andr=E9?= Malo <nd () perlig de> Deny from all (in conclusion with some other) denies HTTP access on some criteria. It doesn't suppose to protect against access from inside the server.
Deny From All: In this way they can access from outside the server. AllowOverride FileInfo (only): Apache must suppose to protect against .htaccess override from inside the server. In fact, Apache should check for config permission again in the ap_process_request_internal() function.
I post this issue in the public mailing list, because I think this vuln is not exploitable by a remote attacker. If something were wrong, drop a line to me.Next time, try a user support forum first. Thanks. nd
I think it's a vuln, in fact I confirmed someones for that. Then I post it into a bug-tracker list instead of in a user support forum. Thanks for your comment.
Current thread:
- BUG IN APACHE HTTPD SERVER (current version 2.0.47) Vietnamese Security Group (Feb 02)
- Re: BUG IN APACHE HTTPD SERVER (current version 2.0.47) André Malo (Feb 03)
- <Possible follow-ups>
- Re: BUG IN APACHE HTTPD SERVER (current version 2.0.47) Vietnamese Security Group (Feb 03)
- Re: BUG IN APACHE HTTPD SERVER (current version 2.0.47) langtuhaohoa caothuvolam (Feb 04)
- Re: BUG IN APACHE HTTPD SERVER (current version 2.0.47) André Malo (Feb 04)
- Re: BUG IN APACHE HTTPD SERVER (current version 2.0.47) Dan Yefimov (Feb 05)
- Re: BUG IN APACHE HTTPD SERVER (current version 2.0.47) Seth Arnold (Feb 06)
- Re: BUG IN APACHE HTTPD SERVER (current version 2.0.47) Todd C. Campbell (Feb 06)
- Re: BUG IN APACHE HTTPD SERVER (current version 2.0.47) Tyler Larson (Feb 06)
- Re: BUG IN APACHE HTTPD SERVER (current version 2.0.47) André Malo (Feb 04)