Re: Apache Artificially Long Slash Path Directory ListingVulnera bility -- FILE READ ACCESS

[Ken <ka () pacific net>]

Tested & Vulnerable apache 1.3.4 on bsdi 4.0
Turned off "MultiViews" & now we're not vulnerable. 
Multiviews controls content negotiation, so you could have some problems
if you have multilingual customer base, but this isn't much of an issue
for us. 
This is the easy fix, yes?
Ken



peter.allen () moon-light co uk wrote:
> According to Bugtraq it only applies to Apache 1.3.17 and lower.
>
> HTH
>
> Peter
>
> At 15:43 27/07/01 -0700, Phil Stracchino wrote:
> > On Fri, Jul 27, 2001 at 06:12:11PM -0400, Brian Dinello wrote:
> > > As we don't have access to all versions of Apache on all platforms, I can't
> > > say for certain that this will work on all of them.  The version that we
> > > have successfully tested on with 100% consistency is Apache 1.3.12 on
> > NT4.
> > > Please let me know if you duplicate this success on any other platforms.
> >
> > I was unable to reproduce it on Apache 1.3.20/PHP4.0.6/mysql-3.23.36 on
> > Slackware 7.0.
> >
> >
> > --
> >  Linux Now!   ..........Because friends don't let friends use Microsoft.
> >  phil stracchino   --   the renaissance man   --   mystic zen biker geek
> >         alaric () babcom com                halmayne () sourceforge net
> >    2000 CBR929RR, 1991 VFR750F3 (foully murdered), 1986 VF500F (sold)