Re: Apache HTTPD's magical behavior

[Ryan Yagatich <ryany () procyon pantek com>]

Russell:
        I'm sorry if there is any confusion, however these 2 URL's are 
different. backbone.sourceforge.com is redirected to 'sourceforge.net'and 
backbone.sourceforge.net has directory browsing available anyways. by 
attempting to access: backbone.sourceforge.com/mrtg-2.8.12/ I get a 404. 
when trying to access backbone.sourceforge.net/mrtg-2.8.12/ I show up with 
"Index of...."

when attempting to add .. to the directory, obviously i get 
backbone.sourceforge.net's directory because its browseable anyways.

Could you please explain further on any other findings?

Thanks,
Ryan Yagatich




On Fri, 30 Nov 2001, Russell Handorf wrote:

-Today I was browsing the Internet when I came across a server that would 
-not let me view the contents of the root dir.
-
-However, it did let me view the contents of a dir within it's root dir. So 
-I tried the following:
-
-http://<server>/<dir i can browse>../
-
-And for some reason it allowed me to view the root dir and all of its contents.
-
-Anyone else have this problem?
-
-I submit the following example.
-
-First, go to
-
-http://backbone.sourceforge.com
-
-now, go to
-
-http://backbone.sourceforge.net/mrtg-2.8.12/..         (Don't forget the '..'s)
-
-I know the server log's it as viewing the readable dir plus the /..    and 
-that files within the root dir, once exposed via the '..', may have a 
-problem with being downloaded. That is easily circumvented via adding in 
-the file name after .. (ex: http://<Server>/<dir>/../<file>
-
-
-russ
-==================================
-Russell Handorf
-oooo, shiney ::Wanders after it::
-
-www.russells-world.com
-www.inside-aol.com
-www.terrorists.net
-www.bad-mother-fucker.org
-www.philly2600.net
-
-"Computer games don't affect kids, I mean if Pacman affected us as kids, 
-we'd all be running around in darkened rooms, munching pills and listening 
-to repetitive music." ~unknown
-==================================
-