You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by "Marcin Zawadzki/GlobalVanet.com" <ma...@globalvanet.com> on 2006/07/12 21:48:47 UTC

2.0.x

In version 2.0.x (latest), is very important bug security.

When option followsymlinks and symlinksifownermatrch are disabled, there
is another way to use symlinks on linux. There is:

I created directory in document root (documentroot=/home/apachedata/htdocs):

mkdir directory1

then i create a symlinks, wchich names is the name of file in Directory
index (for example index.html)

ln -s /etc/passwd index.html

Then in browser i put:

http://hostname/directory1

and i see the passwd file i browser.
If i put http://hostname/directory1/index.html then this security
problem is not exist.
Please reapir this error(bug), and email me when it is repaired.

Sorry for my English.

-- 
Marcin Zawadzki, http://ftims.pl/~marcin/
GPG: 4096D/81DFA928 6C5C F525 8CAA 2A20 B878  C248 08FE 060C 81DF A928