You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by "Strader, William Alexander (WAX)" <st...@y12.doe.gov> on 2003/11/06 18:24:10 UTC
[users@httpd] Redirect for the "..\.." Security Issue
Does anyone know how to redirect that "..\.." security issue to a 404
page... We are undergoing a security Audit and they keep freaking out cause
if they goto http://webserver/somedir/..\..\..\..\..\etc\passwd they see a
directory listing. The directory listing they see is the same as if they
goto http://webserver/somedir/ which is supposed to be there.... So it
isn't a security issue but everytime they get a 200 vs a 404 when they do a
"..\.." they freak out... Anyone know of a way to send them to 404 or
something?
Thanks,
Billy S.
WebPool
Office: (865) 425-5178
Pager: (865) 417-5012
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Redirect for the "..\.." Security Issue
Posted by Joshua Slive <jo...@slive.ca>.
On Thu, 6 Nov 2003, Strader, William Alexander (WAX) wrote:
> Does anyone know how to redirect that "..\.." security issue to a 404
> page... We are undergoing a security Audit and they keep freaking out cause
> if they goto http://webserver/somedir/..\..\..\..\..\etc\passwd they see a
> directory listing. The directory listing they see is the same as if they
> goto http://webserver/somedir/ which is supposed to be there.... So it
> isn't a security issue but everytime they get a 200 vs a 404 when they do a
> "..\.." they freak out... Anyone know of a way to send them to 404 or
> something?
<LocationMatch \.\.>
Order allow,deny
Deny from all
</Location>
Might do the trick.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org