Bugtraq mailing list archives
Re: BUG IN APACHE HTTPD SERVER (current version 2.0.47)
From: Tyler Larson <noreply () tlarson com>
Date: Fri, 6 Feb 2004 10:47:39 -0600
I can see how this could *possibly* be an issue. In theory, a user on a shared system could use an ErrorDocument directive to view file that the apache user/group had access to, but the user didn't (such as another user's .htaccess file. The directive would look something like this: ErrorDocument 404 /~otheruser/.htaccess However, in my version of apache (2.0.48) it doesn't work: Given a the set of files below: -- /www/foo/.htaccess -- [see below] (no other files in this directory) -- EOF -- -- /www/foo/bar/.htaccess -- Order Deny, Allow Deny from all -- EOF -- -- /www/foo/bar/secret -- you saw my secret! -- EOF -- And I tried the following values in in /www/foo/.htaccess ---- ErrorDocument 404 /foo/bar/secret ---- ErrorDocument 404 /foo/.htaccess ---- #I knew this one had no chance ErrorDocument 404 /etc/passwd ---- For the first two .htaccess files, I got this response: ----------- Not Found The requested URL /foo/baz was not found on this server. Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request. Apache/2.0.48 (Fedora) Server at localhost Port 80 ----------- For the last .htaccess file, I got this response: ----------- Not Found The requested URL /foo/baz was not found on this server. Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request. Apache/2.0.48 (Fedora) Server at localhost Port 80 ----------- The reason why the last one didn't work was because ErrorDocument files are relative to the server's DocumentRoot, not the filesystem root. The first request didn't work because of my "Deny From All" in foo/bar/.htacess, while the second request failed because of the restrictions placed by default on files starting with ".ht".
Current thread:
- BUG IN APACHE HTTPD SERVER (current version 2.0.47) Vietnamese Security Group (Feb 02)
- Re: BUG IN APACHE HTTPD SERVER (current version 2.0.47) André Malo (Feb 03)
- <Possible follow-ups>
- Re: BUG IN APACHE HTTPD SERVER (current version 2.0.47) Vietnamese Security Group (Feb 03)
- Re: BUG IN APACHE HTTPD SERVER (current version 2.0.47) langtuhaohoa caothuvolam (Feb 04)
- Re: BUG IN APACHE HTTPD SERVER (current version 2.0.47) André Malo (Feb 04)
- Re: BUG IN APACHE HTTPD SERVER (current version 2.0.47) Dan Yefimov (Feb 05)
- Re: BUG IN APACHE HTTPD SERVER (current version 2.0.47) Seth Arnold (Feb 06)
- Re: BUG IN APACHE HTTPD SERVER (current version 2.0.47) Todd C. Campbell (Feb 06)
- Re: BUG IN APACHE HTTPD SERVER (current version 2.0.47) Tyler Larson (Feb 06)
- Re: BUG IN APACHE HTTPD SERVER (current version 2.0.47) André Malo (Feb 04)