lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Mon, 09 Feb 2004 14:10:35 +0100
From: Guille -bisho- <bisho@...rica.com>
To: Phan Thái Trung <trungonly@...oo.com>
Cc: "William A. Rowe, Jr." <wrowe@...e-clan.net>,
	Rafael D'Avila <rooter@...ra.com.br>,
	Reagan Blundell <Reagan.Blundell@...tradia.com>,
	André_Malo <nd@...lig.de>,
	bugtraq@...urityfocus.com, security@...pd.apache.org
Subject: Re: BUG IN APACHE HTTPD SERVER 2.0.47/48 (to who replied me)


> In my article, I supposed that the administrator
> permit AllowOverride FileInfo, and you, supposed that
> the admin restrict that. What happens if he permit
> AllowOverride FileInfo?
> 
> The problem is, when I tested and looked at the source
> code, if the 403 or other Error document placed
> somewhere outside this current directory, it is not
> parsed in the Deny From All URL (normally, Apache
> wants). If the 403 doc placed in the current
> directory, it can be parsed (unnormally, Apache may
> not want).
> 
> We don't want to prevent this by going round,
> re-configuring Apache in the other way, but by
> ensuring that Apache works well in both cases, the 403
> doc placed outside or inside the restricted directory.

Imagine one of the resellers want to forbit access to all his directory,
and he want's also to put an special error document. There is no reason
why he should add an special allow to the error file.

If the apache admin wants to disallow access of a reseller directory, he
*MUST* disable overrive also. If he doesn't, the user will still be able
to execute php files with error document. Not in that directory but
perfectly in others, imagine /tmp or something similar.

Maybe a warning could be added to the Deny rule in apache documentation,
indicating that this will not prevent access to files from errordocument
directives or other scripting languages (as PHP) that do not follow
apache deny rules.

-- 
        _     Guillermo Pérez    -=] 09/02/2004 [=-
       <·)     - bisho@ ( onirica.com | eurielec.etsit.upm.es )
       ( \>
bisho!  ""\\  ::               Say NO!!! to SW PATENTS                ::
   ..........::                 EuropeSwPatentFree:                   ::
   ::            http://europeswpatentfree.hispalinux.es/             ::

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ