Re: BUG IN APACHE HTTPD SERVER (current version 2.0.47)

From: langtuhaohoa caothuvolam (trungonly_at_yahoo.com)
Date: 02/04/04

  • Next message: intuit bug_hunter: "TYPSoft FTP Server 1.10 may be crashed" 
    Date: 3 Feb 2004 23:37:42 -0000
To: bugtraq@securityfocus.com
    ('binary' encoding is not supported, stored as-is) In-Reply-To: <20040203063933.12546429.nd@perlig.de>

    >From: =?ISO-8859-15?Q?Andr=E9?= Malo <nd@perlig.de>
    >
    >
    >Deny from all (in conclusion with some other) denies HTTP access on some
    >criteria. It doesn't suppose to protect against access from inside the
    >server.
    >

    Deny From All: In this way they can access from outside the server.
    AllowOverride FileInfo (only): Apache must suppose to protect against .htaccess override from inside the server.
    In fact, Apache should check for config permission again in the ap_process_request_internal() function.

    >
    >> I post this issue in the public mailing list, because I think this
    >> vuln is not exploitable by a remote attacker. If something were
    >> wrong, drop a line to me.
    >
    >Next time, try a user support forum first. Thanks.
    >
    >nd
    >
    I think it's a vuln, in fact I confirmed someones for that. Then I post it into a bug-tracker list instead of in a user support forum. Thanks for your comment.

  • Next message: intuit bug_hunter: "TYPSoft FTP Server 1.10 may be crashed"