You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Mathew Thomas <ma...@rmit.edu.au> on 2002/11/11 23:50:17 UTC
[users@httpd] Apache 2 .x Security problem
Dear all,
I have a strange problem with my apache server running Apache-2.0.39 running on Ultra SPARC with Solaris 8. I configured it with basic configuration. I am also using php-4.2.2 with the apache and PHP uses MySQL. The problem is if someone type a URL like the following in their browser, it displays world readable systems files. For example
http://FQDN-of-the-machine/~non-existent-user/etc/passwd
The above will display password file on the user's browser.
If the user exist, http://FQDN-of-the-machine/~existent-user/etc/passwd
will display error message "Object Not Found".
http://FQDN-of-the-machine/~existent-user is showing their home page without an problems.
How can I fix it. Thanks in advance for the help.
Regards
Mathew
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache 2 .x Security problem
Posted by Joshua Slive <jo...@slive.ca>.
On Tue, 12 Nov 2002, Mathew Thomas wrote:
> Dear all,
>
> I have a strange problem with my apache server running Apache-2.0.39 running on Ultra SPARC with Solaris 8. I configured it with basic configuration. I am also using php-4.2.2 with the apache and PHP uses MySQL. The problem is if someone type a URL like the following in their browser, it displays world readable systems files. For example
This is an old version of Apache; you should upgrade.
>
> http://FQDN-of-the-machine/~non-existent-user/etc/passwd
>
> The above will display password file on the user's browser.
> If the user exist, http://FQDN-of-the-machine/~existent-user/etc/passwd
>
> will display error message "Object Not Found".
>
> http://FQDN-of-the-machine/~existent-user is showing their home page without an problems.
>
> How can I fix it. Thanks in advance for the help.
I have seen this reported a few times elsewhere.
See:
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=11386
(Don't reopen that bug unless you can recreate the problem in the latest
version of Apache.)
I would suspect some borked solaris libraries or something of the sort.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org