You are viewing a plain text version of this content. The canonical link for it is here.

Posted to cvs@httpd.apache.org by fa...@locus.apache.org on 2000/09/22 22:41:02 UTC

cvs commit: apache-1.3/src CHANGES

fanf        00/09/22 13:41:02

  Modified:    src      CHANGES
  Log:
  Note the fix of the mod_rewrite multi-pass expansion security problem.
  
  Revision  Changes    Path
  1.1578    +6 -0      apache-1.3/src/CHANGES
  
  Index: CHANGES
  ===================================================================
  RCS file: /home/cvs/apache-1.3/src/CHANGES,v
  retrieving revision 1.1577
  retrieving revision 1.1578
  diff -u -u -r1.1577 -r1.1578
  --- CHANGES	2000/09/21 13:19:22	1.1577
  +++ CHANGES	2000/09/22 20:40:57	1.1578
  @@ -1,5 +1,11 @@
   Changes with Apache 1.3.13
   
  +  *) Fix a security problem that affects some configurations of
  +     mod_rewrite. If the result of a RewriteRule is a filename that
  +     contains expansion specifiers, especially regexp backreferences
  +     $0..$9 and %0..%9, then it may have been possible for an attacker
  +     to access any file on the web server. [Tony Finch]
  +
     *) Add mod_auth_dbm (sdbm flavor) binary build for Win32.
        [William Rowe]