Re: [users@httpd] Strange behavior of Apache 1.3.26

[Joshua Slive <jo...@slive.ca>]

douglap@dupreeinc.com wrote:
> I had a file on the apache server called GenerateIndex.php which I renamed to GenerateIndex.php.old at some point while I was working on the site. 
> Later, I was at a remote site and I missed my click on the history bar and mistakenly selected a link to the file GenerateIndex.php file.  Well, the Apache 
> server sent the raw text from the GenerateIndex.php.old file to my remote location ( I was a bit concerned because the php file has some database 
> usernames and passwords hard coded into it.
> 
> Is this a bug that should be reported or is this behavior (asking for GenerateIndex.php and receiving GenerateIndex.php.old) already know or 
> expected?

See the Options directives with special attention to the MultiViews 
option.  You probably want that turned off unless you are doing 
content-negotation.

I would also guess you are using a <FilesMatch> to designate your php 
scripts, rather than the better AddType or AddHandler directives, which 
would have marked the file as a php script regardless of the extra 
extension.

And, or course, I'm sure you have now figured out that it is not a good 
idea to keep material that you don't want web-accessible in the webspace.

Joshua.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org