Re: Phun With Apache

[Graham Reed <greed () pobox com>]

On Apr 1, 2005, at 4:19 AM, duper () willhackforfood biz wrote:
> ## Apache follows symbolic links referenced by public_html!
> ## Even when SymLinksifOwnerMatch is set and FollowSymLinks is not!
> ## A super-easy way to gain read access on files owned by the apache 
> user!

It's not (only) a mod_userdir problem.

I found the problem is fully reproducible on the intranet server I 
run--but it does not use mod_userdir.  It gets its work done with 
AliasMatch directives.

I currently believe the culprit is the <Directory> and <DirectoryMatch> 
directives are allowing symbolic links, without following the 
ifOwnerMatch part of the directive.

--
"Dead people don't send spam."

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/