RE: Apache Http Server Reveals Script Source Code to Remote Users And Any Users Can Access The Forbidden Directory ("/WEB-INF/")
I don't acknowledge this.
I tested this with Windows XPsp1 running IE 6.0.2800 with latest
patches. Running on the latest build of Apache server on the same box.
IE knew the difference between 'web-inf..' And 'web-inf.' and
'web-inf...' (so did apache). Matter of a fact creating separate pages
with these names resulted in separate loading.
Perhaps your 'claim' can be further substatiated by what 'you' are doing
to IE to cause this.
J.
:> -----Original Message-----
:> From: Alun Jones [mailto:alun@xxxxxxxxx]
:> Sent: Thursday, February 12, 2004 5:32 PM
:> To: 'Peter J. Holzer'; bugtraq@xxxxxxxxxxxxxxxxx
:> Subject: RE: Apache Http Server Reveals Script Source Code
:> to Remote Users And Any Users Can Access The Forbidden
:> Directory ("/WEB-INF/")
:>
:>
:> > -----Original Message-----
:> > From: Peter J. Holzer [mailto:hjp@xxxxxxxxx]
:> > Sent: Wednesday, February 11, 2004 6:50 AM
:> >
:> > Right. On Unix "WEB-INF" and "WEB-INF.." are two
:> different, legal file
:> > names. On Windows, trailing dots seem to be ignored, so
:> "WEB-INF" and
:> > "WEB-INF.." are just two names for the same file. This
:> also works if
:> > the filename already has an extension, so for example
:> "foo.html" and
:> > "foo.html....." are the same file, too. I wonder whether
:> that can be
:> > exploited, too: Get the contents of a CGI script by requesting
:> > "foo.cgi."?
:>
:> It's been done before - certainly in IIS, there was a bug
:> where getting a "filename.asp." URL gave you the source of
:> the ASP script. Same for "filename.asp:$DATA".
:>
:> Alun.
:> ~~~~
:> --
:> Texas Imperial Software | Find us at http://www.wftpd.com or email
:> 1602 Harvest Moon Place | alun@xxxxxxxxxx
:> Cedar Park TX 78613-1419 | WFTPD, WFTPD Pro are Windows FTP
:> servers. Fax/Voice +1(512)258-9858 | Try our NEW client
:> software, WFTPD Explorer.
:>
:>