You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2002/07/11 00:50:46 UTC

DO NOT REPLY [Bug 10667] New: - server-status does not limit access using allow from/deny from

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10667>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10667

server-status does not limit access using allow from/deny from

           Summary: server-status does not limit access using allow
                    from/deny from
           Product: Apache httpd-1.3
           Version: 1.3.26
          Platform: All
        OS/Version: Linux
            Status: NEW
          Severity: Normal
          Priority: Other
         Component: Auth/Access
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: scott@brynen.com
                CC: scott@brynen.com


It would appear in one of the latest versions of httpd 1.3.26 (maybe earlier) 
someone broke the server-status access code.  Despite having allow/deny froms 
(see below), /server-status is still readable by all (don't beleive me, try 
http://www.apache.org/server-status)

<Location /server-status>
    SetHandler server-status
    order deny,allow
    Deny from all
    Allow from 192.168.0
    Allow from 24.65.162.171
</Location>

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org