You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by Marc Slemko <ma...@znep.com> on 1998/03/10 15:20:00 UTC
config/1927: Get full access to apache installation path by misusing https (fwd)
The following reply was made to PR config/1927; it has been noted by GNATS.
From: Marc Slemko <ma...@znep.com>
To: Apache bugs database <ap...@apache.org>
Cc: Subject: config/1927: Get full access to apache installation path by misusing https (fwd)
Date: Tue, 10 Mar 1998 07:13:31 -0700 (MST)
---------- Forwarded message ----------
Date: Tue, 10 Mar 1998 11:13:47 +0100
From: Andreas Heilwagen <ho...@netguru.org>
To: marc@hyperreal.org
Cc: apache-bugdb@apache.org, marc@apache.org
Subject: config/1927: Get full access to apache installation path by misusing https
Hello,
marc@hyperreal.org wrote:
>
> First, we have nothing to do with the SSL patches so we can not
> do anything about them. Can you reproduce this problem without
> them?
The point is, that you need the https support to drop to an unwanted
http server which is not configured. I do not know how the module
stuff exactly works, but I think the SSL module fails to check if
the mentioned problem occurs. On the other hand there could be a
reason to check for unconfigured URLs in the apache code to get
on the safe side concerning new modules.
I will send information on this problem to the SSL guy. So you will
not loose any time in implementing new code and tracking more important
problems.
> What path are you talking about? ie. what define in
> httpd.h is set to it? What is your DocumentRoot
> set to in your main server config? ie. not any virtualhost.
I had my DocumentRoot set to the installpath of apache. After
recompiling the code it points to a location where nobody can
get any files and only gets a short go-away message. To set
it to the point where the virtual servers stuff lives would be
no good idea.
> Exactly what you are saying is the problem isn't really
> clear. I don't see how adding an index.html file would
> help anything if what you explain is correct; then all they
> have to do is guess the name of what they want, which isn't
> too hard.
You're right, there were too many things I had to handle at once
in that moment. Especially that guy who told us that he "attacked"
us successfully was not a nice one. I had to find a quick solution
to block him from accessing more files. I don't think that he got
the interesting non-standard parts of directory/file structure.
Bye,
Andreas Heilwagen.
_ __ __ ______
/ | / /__ / /_/ ____/_ _________ __ ____ _________ _
/ |/ / _ \/ __/ / __/ / / / ___/ / / / / __ \/ ___/ __ `/
/ /| / __/ /_/ /_/ / /_/ / / / /_/ / _ / /_/ / / / /_/ /
/_/ |_/\___/\__/\____/\__,_/_/ \__,_/ (_)\____/_/ \__, /
e-mail: <ho...@netguru.org> http://netguru.org /____/