Bugtraq: Re: BUG IN APACHE HTTPD SERVER (current version 2.0.47)

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Bugtraq mailing list archives

Re: BUG IN APACHE HTTPD SERVER (current version 2.0.47)

From: André Malo <nd () perlig de>
Date: Wed, 4 Feb 2004 19:07:37 +0100

* langtuhaohoa caothuvolam <trungonly () yahoo com> wrote:

Deny From All: In this way they can access from outside the server.


You mean: An attacker needs to place such a script on the server, which
includes the requested uri.
If he's able to do so, he can

(a) read the file anyway
(b) simply open it from inside the script using normal file operations.

I cannot see a vuln here. If he's able to take the actions described above,
one has *real* trouble on the server.

This seems to me the same topic as the mod_perl hijacking. If you don't trust
your users, don't let them execute code from inside the server.

nd

By Date By Thread

Current thread:

BUG IN APACHE HTTPD SERVER (current version 2.0.47) Vietnamese Security Group (Feb 02)
- Re: BUG IN APACHE HTTPD SERVER (current version 2.0.47) André Malo (Feb 03)
- <Possible follow-ups>
- Re: BUG IN APACHE HTTPD SERVER (current version 2.0.47) Vietnamese Security Group (Feb 03)
- Re: BUG IN APACHE HTTPD SERVER (current version 2.0.47) langtuhaohoa caothuvolam (Feb 04)
  - Re: BUG IN APACHE HTTPD SERVER (current version 2.0.47) André Malo (Feb 04)
    - Re: BUG IN APACHE HTTPD SERVER (current version 2.0.47) Dan Yefimov (Feb 05)
    - Re: BUG IN APACHE HTTPD SERVER (current version 2.0.47) Seth Arnold (Feb 06)
    - Re: BUG IN APACHE HTTPD SERVER (current version 2.0.47) Todd C. Campbell (Feb 06)
    - Re: BUG IN APACHE HTTPD SERVER (current version 2.0.47) Tyler Larson (Feb 06)