Bugtraq mailing list archives

Re: httpd symlinks

From: panzer () dhp com (Panzer Boy)
Date: Thu, 7 Sep 1995 04:11:39 -0400


Jon Lewis (jlewis () inorganic5 chem ufl edu) wrote:
: I was just fooling around and was shocked to find that
: SymLinksIfOwnerMatch is totally broken in the version of Apache I've been
: using.  I created a symlink from a public_html dir to / and was able to
: see /.  I downloaded/compiled the latest apache and did some testing of
: SymLinksIfOwnerMatch with various versions of httpd I had handy and found
: the following:

: NCSA 1.3        works, even on double symlinks
: Apache 0.6.2    works on symlinks, broken for double symlinks
: Apache 0.8.8    broken for symlinks and double symlinks
: Apache 0.8.11   works, even on double symlinks

Wildcards in access files was broken on 0.8.8, I'm not sure about
ealier.  So even if you had "*/public_html*", homedirs wouldn't match...

--
 -Matt     (panzer () dhp com)                         DI-1-9026
 "That which can never be enforced should not be prohibited."

Current thread:

Re: httpd symlinks Daniel S. Riley (Sep 04)
- Re: httpd symlinks Jon Lewis (Sep 04)
- <Possible follow-ups>
- Re: httpd symlinks Panzer Boy (Sep 07)