Vulnerability Development mailing list archives
Re: Apache HTTPD's magical behavior
From: Russell Handorf <rhandorf () mail russells-world com>
Date: Fri, 30 Nov 2001 15:21:05 -0500
as it turns out the servers i tried this against had a miss-configuration.when i was working on this with other people, on their log's it showed that i was accessing the dir that was before the '..'
a miss config in their httpd.conf file was corrected, and the problem solved. sorry for the confusion :) russ At 02:55 PM 11/30/2001 -0500, you wrote:
Russell: I'm sorry if there is any confusion, however these 2 URL's are different. backbone.sourceforge.com is redirected to 'sourceforge.net'and backbone.sourceforge.net has directory browsing available anyways. by attempting to access: backbone.sourceforge.com/mrtg-2.8.12/ I get a 404. when trying to access backbone.sourceforge.net/mrtg-2.8.12/ I show up with "Index of...." when attempting to add .. to the directory, obviously i get backbone.sourceforge.net's directory because its browseable anyways. Could you please explain further on any other findings? Thanks, Ryan Yagatich On Fri, 30 Nov 2001, Russell Handorf wrote: -Today I was browsing the Internet when I came across a server that would -not let me view the contents of the root dir. - -However, it did let me view the contents of a dir within it's root dir. So -I tried the following: - -http://<server>/<dir i can browse>../ --And for some reason it allowed me to view the root dir and all of its contents.- -Anyone else have this problem? - -I submit the following example. - -First, go to - -http://backbone.sourceforge.com - -now, go to --http://backbone.sourceforge.net/mrtg-2.8.12/.. (Don't forget the '..'s)- -I know the server log's it as viewing the readable dir plus the /.. and -that files within the root dir, once exposed via the '..', may have a -problem with being downloaded. That is easily circumvented via adding in -the file name after .. (ex: http://<Server>/<dir>/../<file> - - -russ -================================== -Russell Handorf -oooo, shiney ::Wanders after it:: - -www.russells-world.com -www.inside-aol.com -www.terrorists.net -www.bad-mother-fucker.org -www.philly2600.net - -"Computer games don't affect kids, I mean if Pacman affected us as kids, -we'd all be running around in darkened rooms, munching pills and listening -to repetitive music." ~unknown -================================== -
================================== Russell Handorf oooo, shiney ::Wanders after it:: www.russells-world.com www.inside-aol.com www.terrorists.net www.bad-mother-fucker.org www.philly2600.net"Computer games don't affect kids, I mean if Pacman affected us as kids, we'd all be running around in darkened rooms, munching pills and listening to repetitive music." ~unknown
==================================
Current thread:
- Apache HTTPD's magical behavior Russell Handorf (Nov 30)
- Re: Apache HTTPD's magical behavior Ryan Yagatich (Nov 30)
- Re: Apache HTTPD's magical behavior Doru Petrescu (Nov 30)
- RE: Apache HTTPD's magical behavior Golden_Eternity (Nov 30)
- Message not available
- Re: Apache HTTPD's magical behavior Russell Handorf (Nov 30)