You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Marc Slemko <ma...@znep.com> on 1998/08/24 23:35:33 UTC

Re: Directory names with dots (fwd)

Whoop de-doo-dah.

Sigh oink ouch.

---------- Forwarded message ----------
Date: Mon, 24 Aug 1998 09:58:41 -0700
From: Andrew Fladmark <an...@ORBITAL-WEB.NET>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Re: Directory names with dots

I tested this out this morning, and found the following.  The directory
need not actually contain .com for the problem to occur.  I tried the
following combinations:

http://www.ourserver.com/www.jones.com/hello.asp
http://www.ourserver.com/www.jones.net/hello.asp
http://www.ourserver.com/www.micha/hello.asp
http://www.ourserver.com/blah.blah/hello.asp

So as near as I can tell, the directory need only to contain a period.

If the directory is on a FAT drive, it will display the source to everyone,
if it is on an NTFS drive, and the permissions are set to everyone on the
directory, the source will display.  Only if there are restricted
permissions will it ask for a password.

Andrew Fladmark
Orbital Web Design
andrew@orbital-web.net
http://www.orbital-web.net

At 10:49 AM 8/24/98 +0200, you wrote:
>When a directory containing .asp files contains the string .com, the ASP
>code is not executed but simply shown to the user. Example:
>
>http://www.test.com/www.directory.com/sample.asp  or
>http://www.test.com/www.com/sample.asp  or