You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by George Gallen <gg...@slackinc.com> on 2002/03/18 20:06:52 UTC
Why a 404 vs 401?
I have all my directories password protected but
why would one request give permission denied, and the other
a page not found?
I don't have a /bin directory at all.
Granted I know this had no effect on my server, if anything confusing
to the hacker. Just wondering why the difference in codes?
George
213.20.0.220 - - [17/Mar/2002:09:48:16 -0500] "HEAD
/bin/..%c0%2f..%c0%2f..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404
0
213.20.0.220 - - [17/Mar/2002:09:48:16 -0500] "HEAD
/bin/..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401
0
Re: Why a 404 vs 401?
Posted by Artiom Morozov <ar...@phreaker.net>.
it's all the matter of how apache decodes those codes and what it tries
to stat() and open() then. if curious, you can attach with strace to
apache process and post those requests and see what system calls are
made...
On 2002.03.18 21:06 George Gallen wrote:
> I have all my directories password protected but
> why would one request give permission denied, and the other
> a page not found?
>
> I don't have a /bin directory at all.
>
> Granted I know this had no effect on my server, if anything confusing
> to the hacker. Just wondering why the difference in codes?
>
> George
>
>
>
> 213.20.0.220 - - [17/Mar/2002:09:48:16 -0500] "HEAD
> /bin/..%c0%2f..%c0%2f..%c0%2f../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404
> 0
> 213.20.0.220 - - [17/Mar/2002:09:48:16 -0500] "HEAD
> /bin/..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 401
> 0
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Why a 404 vs 401?
Posted by alex dyas <ad...@twowaytv.co.uk>.
judging by the time stamps it was the same request. maybe apache is
generating both 401 AND 404 for the same single request.
alex..
George Gallen wrote:
> I have all my directories password protected but
> why would one request give permission denied, and the other
> a page not found?
>
> I don't have a /bin directory at all.
>
> Granted I know this had no effect on my server, if anything confusing
> to the hacker. Just wondering why the difference in codes?
>
> George
>
>
>
> 213.20.0.220 - - [17/Mar/2002:09:48:16 -0500] "HEAD
> /bin/..%c0%2f..%c0%2f..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0"
> 404 0
>
> 213.20.0.220 - - [17/Mar/2002:09:48:16 -0500] "HEAD
> /bin/..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0"
> 401 0
>
--
-= alex dyas - webmaster - twowaytv - uk =-
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org