You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by Marc Slemko <ma...@znep.com> on 1998/03/10 15:20:00 UTC

config/1927: Get full access to apache installation path by misusing https (fwd)

The following reply was made to PR config/1927; it has been noted by GNATS.

From: Marc Slemko <ma...@znep.com>
To: Apache bugs database <ap...@apache.org>
Cc:  Subject: config/1927: Get full access to apache installation path by misusing https (fwd)
Date: Tue, 10 Mar 1998 07:13:31 -0700 (MST)

 ---------- Forwarded message ----------
 Date: Tue, 10 Mar 1998 11:13:47 +0100
 From: Andreas Heilwagen <ho...@netguru.org>
 To: marc@hyperreal.org
 Cc: apache-bugdb@apache.org, marc@apache.org
 Subject: config/1927: Get full access to apache installation path by misusing https
 
 Hello,
 
 marc@hyperreal.org wrote:
 > 
 > First, we have nothing to do with the SSL patches so we can not
 > do anything about them.  Can you reproduce this problem without
 > them?
 
 The point is, that you need the https support to drop to an unwanted
 http server which is not configured. I do not know how the module
 stuff exactly works, but I think the SSL module fails to check if
 the mentioned problem occurs. On the other hand there could be a
 reason to check for unconfigured URLs in the apache code to get
 on the safe side concerning new modules.
 
 I will send information on this problem to the SSL guy. So you will
 not loose any time in implementing new code and tracking more important
 problems.
 
 > What path are you talking about?  ie. what define in
 > httpd.h is set to it?  What is your DocumentRoot
 > set to in your main server config?  ie. not any virtualhost.
 
 I had my DocumentRoot set to the installpath of apache. After
 recompiling the code it points to a location where nobody can
 get any files and only gets a short go-away message. To set
 it to the point where the virtual servers stuff lives would be
 no good idea.
 
 > Exactly what you are saying is the problem isn't really
 > clear.  I don't see how adding an index.html file would
 > help anything if what you explain is correct; then all they
 > have to do is guess the name of what they want, which isn't
 > too hard.
 
 You're right, there were too many things I had to handle at once
 in that moment. Especially that guy who told us that he "attacked"
 us successfully was not a nice one. I had to find a quick solution
 to block him from accessing more files. I don't think that he got
 the interesting non-standard parts of directory/file structure.
 
 Bye,
   Andreas Heilwagen.
 
     _   __     __  ______
    / | / /__  / /_/ ____/_  _________  __    ____  _________ _
   /  |/ / _ \/ __/ / __/ / / / ___/ / / /   / __ \/ ___/ __ `/
  / /|  /  __/ /_/ /_/ / /_/ / /  / /_/ / _ / /_/ / /  / /_/ /
 /_/ |_/\___/\__/\____/\__,_/_/   \__,_/ (_)\____/_/   \__, /
 e-mail: <ho...@netguru.org>  http://netguru.org /____/