Vulnerability Development mailing list archives
Apache HTTPD's magical behavior
From: Russell Handorf <rhandorf () mail russells-world com>
Date: Fri, 30 Nov 2001 12:04:01 -0500
Today I was browsing the Internet when I came across a server that would not let me view the contents of the root dir.
However, it did let me view the contents of a dir within it's root dir. So I tried the following:
http://<server>/<dir i can browse>../ And for some reason it allowed me to view the root dir and all of its contents. Anyone else have this problem? I submit the following example. First, go to http://backbone.sourceforge.com now, go to http://backbone.sourceforge.net/mrtg-2.8.12/.. (Don't forget the '..'s)I know the server log's it as viewing the readable dir plus the /.. and that files within the root dir, once exposed via the '..', may have a problem with being downloaded. That is easily circumvented via adding in the file name after .. (ex: http://<Server>/<dir>/../<file>
russ ================================== Russell Handorf oooo, shiney ::Wanders after it:: www.russells-world.com www.inside-aol.com www.terrorists.net www.bad-mother-fucker.org www.philly2600.net"Computer games don't affect kids, I mean if Pacman affected us as kids, we'd all be running around in darkened rooms, munching pills and listening to repetitive music." ~unknown
==================================
Current thread:
- Apache HTTPD's magical behavior Russell Handorf (Nov 30)
- Re: Apache HTTPD's magical behavior Ryan Yagatich (Nov 30)
- Re: Apache HTTPD's magical behavior Doru Petrescu (Nov 30)
- RE: Apache HTTPD's magical behavior Golden_Eternity (Nov 30)
- Message not available
- Re: Apache HTTPD's magical behavior Russell Handorf (Nov 30)