Bugtraq mailing list archives
Re: HTTP REQUEST_METHOD flaw
From: kragen () POBOX COM (Kragen Sitaker)
Date: Thu, 7 Jan 1999 16:40:26 -0500
On Wed, 6 Jan 1999, Marc Slemko wrote: (on <Limit GET POST>)
This certainly isn't a new issue, and certainly isn't anything that hasn't been said over and over, and isn't a bug in Apache but a bug in a user's configuration, but people still seem to have trouble getting the message.
This is because many people are still using web pages that tell how to configure circa-1995 NCSA httpd when they want to find out how to configure Apache, or fix their config files. An AltaVista search for limit-get-post finds 589 web pages -- including http://www.apache.kr.net/ in an example access.conf! -- so probably several times that many old web pages, memories, hastily jotted notes, and documents around the world are providing faulty information to new admins. The only real solution will be to make a non-backwards-compatible change, perhaps changing the name of the <Limit> directive. (I'm reminded of a particular brand of small plane that used to keep crashing with fuel-system problems on landing. Why? The fuel shutoff valve handle was located where the internal heating-system shutoff valve handle was located on another brand of small planes. Pilots would reach up to turn off the heat as they approached -- the better to be more alert -- and would then discover that the engines no longer worked.) -- <kragen () pobox com> Kragen Sitaker <http://www.pobox.com/~kragen/> [around 1998-12-23], it is amazing to watch fear and loathing and greed at play with the more speculative Internet stocks. To call this a tulip craze would be a vast understatement. -- Adam Rifkin, <adam () cs caltech edu>
Current thread:
- Sekure SDI Advisory: mSQL Remote Bug (fwd), (continued)
- Sekure SDI Advisory: mSQL Remote Bug (fwd) Sekure SDI SSC (Jan 10)
- nmap udp scan kills Neware (ex-HDS) X-terminals. Andrew V. Kovalev (Jan 11)
- Re: nmap udp scan kills Neware (ex-HDS) X-terminals. Adam Shostack (Jan 12)
- Cisco Security Notice: Cisco IOS Syslog Crash security-alert () cisco com (Jan 11)
- Re: Tripwire mess.. Casper Dik (Jan 05)
- Re: Tripwire mess.. Chris Adams (Jan 05)
- Re: Tripwire mess.. Jon Torrez (Jan 05)
- Administrivia Aleph One (Jan 05)
- HTTP REQUEST_METHOD flaw mnemonix (Jan 06)
- Re: HTTP REQUEST_METHOD flaw Marc Slemko (Jan 06)
- Re: HTTP REQUEST_METHOD flaw Kragen Sitaker (Jan 07)
- Re: HTTP REQUEST_METHOD flaw pedward () WEBCOM COM (Jan 06)
- Re: Tripwire mess.. CyberPsychotic (Jan 07)
- Re: Tripwire mess.. Jon Speer (Jan 08)