You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Carol Langland <cl...@zeh.com> on 2002/08/16 17:51:34 UTC
Security Advisory
I was wondering if anyone knows about the recent security advisory posted on
August 9th. The document says that you can edit your httpd.conf file and
add the following line:
RedirectMatch 400 "\\\.\."
Does anyone know if this "patch" works on version 1.3.6 (Windows)? The
writeup isn't quite clear. Also, does anyone know how to hack into the
security hole so we can check to see if the patch works?
Thanks for your help.
Carol
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Carol Langland 281.589.7757 Voice
ZEH Software, Inc. 281.558.3043 Fax
Product Manager clangland@zeh.com
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Security Advisory
Posted by Joshua Slive <jo...@slive.ca>.
Joshua Slive wrote:
> Carol Langland wrote:
>
>> I was wondering if anyone knows about the recent security advisory
>> posted on
>> August 9th. The document says that you can edit your httpd.conf file and
>> add the following line:
>>
>> RedirectMatch 400 "\\\.\."
>>
>> Does anyone know if this "patch" works on version 1.3.6 (Windows)?
>
>
> The advisory is for 2.0 only. 1.3 is not thought to be vulnerable. I
> don't believe that you can do any harm with the RedirectMatch, however.
On second thought, I shouldn't leave it at that. 1.3.6 on windows is
not vulnerable to THAT problem, but is vulnerable to several other
problems. I hope you just made a typo and are really running 1.3.26.
Otherwise I suggest you upgrade immediately. See:
http://www.apacheweek.com/features/security-13
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Security Advisory
Posted by Joshua Slive <jo...@slive.ca>.
Carol Langland wrote:
> I was wondering if anyone knows about the recent security advisory posted on
> August 9th. The document says that you can edit your httpd.conf file and
> add the following line:
>
> RedirectMatch 400 "\\\.\."
>
> Does anyone know if this "patch" works on version 1.3.6 (Windows)?
The advisory is for 2.0 only. 1.3 is not thought to be vulnerable. I
don't believe that you can do any harm with the RedirectMatch, however.
> The
> writeup isn't quite clear. Also, does anyone know how to hack into the
> security hole so we can check to see if the patch works?
If you hang out on bugtraq, I'm sure you'll see it eventually. The
apache people are trying not to distribute it until people have a chance
to protect their server.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org