You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Jose Adriano Baltieri <ja...@unimep.br> on 2006/08/24 13:12:21 UTC

[users@httpd] mod_xsendfile and security issues

I'm using mod_xsendfile 
(http://celebnamer.celebworld.ws/stuff/mod_xsendfile) with Apache 2.0.58 
on Windows.

My scripts are issuing the x-sendfile http header and, Apache is 
interpreting it correctly, sending the designated file path to the 
client. So far, so good.

However, Apache DOES NOT remove or "swallows" the x-sendfile header. It 
will go along to client side, revealing to client side my internal file 
system paths.

I think this is a severe security vulnerability.

Can you notice the same problem ?

If not:

- Which Apache version are you using ?
- How are your scripts issuing the headers, that is, how are them spelt 
and in which order ?

If you're having the same problem:

- How can we fix it ?

Thanks in advance for you help !


-- 
Obrigado,
------------------------------------------------------------------------------
                Jose Adriano Baltieri - Analista de Sistemas
                DTI - CENTRO - UNIMEP - Universidade Metodista de Piracicaba
                PIRACICABA - SP - Brasil - Fone : (19) 3124-1858
------------------------------------------------------------------------------


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] mod_xsendfile and security issues

Posted by Nick Kew <ni...@webthing.com>.

On Thursday 24 August 2006 12:12, Jose Adriano Baltieri wrote:

> However, Apache DOES NOT remove or "swallows" the x-sendfile header. It
> will go along to client side, revealing to client side my internal file
> system paths.

Does Header Unset x-sendfile have any effect?

> I think this is a severe security vulnerability.

Well, it may be unwanted, but to be a secure security
vulnerability seems to imply that security depends on
obscurity.

> Can you notice the same problem ?

I don't expect many people here use that module.
Have you asked its developer?

-- 
Nick Kew

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org