<<< Date Index >>>     <<< Thread Index >>>

Re: BUG IN APACHE HTTPD SERVER (current version 2.0.47)



* langtuhaohoa caothuvolam <trungonly@xxxxxxxxx> wrote:

> Deny From All: In this way they can access from outside the server.

You mean: An attacker needs to place such a script on the server, which
includes the requested uri.
If he's able to do so, he can

(a) read the file anyway
(b) simply open it from inside the script using normal file operations.

I cannot see a vuln here. If he's able to take the actions described above,
one has *real* trouble on the server.

This seems to me the same topic as the mod_perl hijacking. If you don't trust
your users, don't let them execute code from inside the server.

nd