You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Jose Adriano Baltieri <ja...@unimep.br> on 2006/08/24 13:12:21 UTC
[users@httpd] mod_xsendfile and security issues
I'm using mod_xsendfile
(http://celebnamer.celebworld.ws/stuff/mod_xsendfile) with Apache 2.0.58
on Windows.
My scripts are issuing the x-sendfile http header and, Apache is
interpreting it correctly, sending the designated file path to the
client. So far, so good.
However, Apache DOES NOT remove or "swallows" the x-sendfile header. It
will go along to client side, revealing to client side my internal file
system paths.
I think this is a severe security vulnerability.
Can you notice the same problem ?
If not:
- Which Apache version are you using ?
- How are your scripts issuing the headers, that is, how are them spelt
and in which order ?
If you're having the same problem:
- How can we fix it ?
Thanks in advance for you help !
--
Obrigado,
------------------------------------------------------------------------------
Jose Adriano Baltieri - Analista de Sistemas
DTI - CENTRO - UNIMEP - Universidade Metodista de Piracicaba
PIRACICABA - SP - Brasil - Fone : (19) 3124-1858
------------------------------------------------------------------------------
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod_xsendfile and security issues
Posted by Nick Kew <ni...@webthing.com>.
On Thursday 24 August 2006 12:12, Jose Adriano Baltieri wrote:
> However, Apache DOES NOT remove or "swallows" the x-sendfile header. It
> will go along to client side, revealing to client side my internal file
> system paths.
Does Header Unset x-sendfile have any effect?
> I think this is a severe security vulnerability.
Well, it may be unwanted, but to be a secure security
vulnerability seems to imply that security depends on
obscurity.
> Can you notice the same problem ?
I don't expect many people here use that module.
Have you asked its developer?
--
Nick Kew
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org