Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CGI source being exposed using "~"

From: joe () BLARG NET (Joe)
Date: Tue, 9 May 2000 07:18:40 -0700

On Mon, 8 May 2000, Brian McKinney wrote:


Andrew Reisse said:

<On my servers, I put a section like this in httpd.conf to prevent editor
<backups from being read (which, as you said, might contain passwords or
<other interesting data)

<Files ~ "^\~">
    Order allow,deny
    Deny from all
</Files>

I have tried adding that to a couple of apache servers with no luck. The
source is still being displayed. as suggested by a friend i even tried:

<Files ~ "^\.cgi.$">
    Order allow,deny
    Deny from all
</Files>

for blocking files like cgi.text and cgi.bak. I still got the same results.
is there something im missing?


Both of your regular expressions are flawed. The first will only stop people
from seeing files that begin with a tilde, the second will only stop those
that begin with '.cgi'. Your use of the '^' is the problem. The following
rule will work and stop access to files ending with a tilde or files ending
in '.cgi*':

<Files ~ "*(\~|\.cgi.+)$"
    Order deny,allow
    Deny from all
</Files>


--
Joe                                     Technical Support
General Support:  support () blarg net     Blarg! Online Services, Inc.
Voice:  425/401-9821 or 888/66-BLARG    http://www.blarg.net
Previous By Date Next
Previous By Thread Next

Current thread: