Re: BUG IN APACHE HTTPD SERVER (current version 2.0.47)

From: André Malo (nd_at_perlig.de)
Date: 02/04/04

  • Next message: ZetaLabs: "ZH2004-04SA (security advisory): Multiple Sql Injection Vulnerabilities in ReviewPost PHP Pro"
    Date: Wed, 4 Feb 2004 19:07:37 +0100
    To: langtuhaohoa caothuvolam <trungonly@yahoo.com>
    
    

    * langtuhaohoa caothuvolam <trungonly@yahoo.com> wrote:

    > Deny From All: In this way they can access from outside the server.

    You mean: An attacker needs to place such a script on the server, which
    includes the requested uri.
    If he's able to do so, he can

    (a) read the file anyway
    (b) simply open it from inside the script using normal file operations.

    I cannot see a vuln here. If he's able to take the actions described above,
    one has *real* trouble on the server.

    This seems to me the same topic as the mod_perl hijacking. If you don't trust
    your users, don't let them execute code from inside the server.

    nd


  • Next message: ZetaLabs: "ZH2004-04SA (security advisory): Multiple Sql Injection Vulnerabilities in ReviewPost PHP Pro"

    Relevant Pages

    • Re: Same Internal Server Error from last two days
      ... I am trying to run a Hello World Perl Script in Apache 2.2. ... But its constantly giving me Internal Server Error.The script ... # have to place corresponding `LoadModule' lines at this location so the ...
      (perl.beginners)
    • Re: Same Internal Server Error from last two days
      ... I am trying to run a Hello World Perl Script in Apache 2.2. ... But its constantly giving me Internal Server Error.The script Runs perfectly fine from the command prompt. ... # This is the main Apache HTTP server configuration file. ... LoadModule actions_module modules/mod_actions.so ...
      (perl.beginners)
    • Same Internal Server Error from last two days
      ... I am trying to run a Hello World Perl Script in Apache 2.2. ... But its constantly giving me Internal Server Error.The script ... # have to place corresponding `LoadModule' lines at this location so the ...
      (perl.beginners)
    • Re: Regarding a selection for mobile code/scripting language
      ... Client Side scripting, so the server can send script commands to the client. ... I decided they should be scripted and mobile code. ...
      (Vuln-Dev)
    • Re: HTTPSConnection script fails, but only on some servers (long)
      ... (HTTP/CONNECT + switch to HTTPS) ... wget and my python script. ... >>The python script works with server A, ... the problem seems to depend on both the client ...
      (comp.lang.python)