<<< Date Index >>>     <<< Thread Index >>>

RE: Apache Http Server Reveals Script Source Code to Remote Users And Any Users Can Access The Forbidden Directory ("/WEB-INF/")



I don't acknowledge this.

I tested this with Windows XPsp1 running IE 6.0.2800 with latest
patches.  Running on the latest build of Apache server on the same box.

IE knew the difference between 'web-inf..' And 'web-inf.' and
'web-inf...' (so did apache).  Matter of a fact creating separate pages
with these names resulted in separate loading.

Perhaps your 'claim' can be further substatiated by what 'you' are doing
to IE to cause this.

J.


:> -----Original Message-----
:> From: Alun Jones [mailto:alun@xxxxxxxxx] 
:> Sent: Thursday, February 12, 2004 5:32 PM
:> To: 'Peter J. Holzer'; bugtraq@xxxxxxxxxxxxxxxxx
:> Subject: RE: Apache Http Server Reveals Script Source Code 
:> to Remote Users And Any Users Can Access The Forbidden 
:> Directory ("/WEB-INF/")
:> 
:> 
:> > -----Original Message-----
:> > From: Peter J. Holzer [mailto:hjp@xxxxxxxxx]
:> > Sent: Wednesday, February 11, 2004 6:50 AM
:> > 
:> > Right. On Unix "WEB-INF" and "WEB-INF.." are two 
:> different, legal file 
:> > names. On Windows, trailing dots seem to be ignored, so 
:> "WEB-INF" and 
:> > "WEB-INF.." are just two names for the same file. This 
:> also works if 
:> > the filename already has an extension, so for example 
:> "foo.html" and
:> > "foo.html....." are the same file, too. I wonder whether 
:> that can be
:> > exploited, too: Get the contents of a CGI script by requesting
:> > "foo.cgi."?
:> 
:> It's been done before - certainly in IIS, there was a bug 
:> where getting a "filename.asp." URL gave you the source of 
:> the ASP script.  Same for "filename.asp:$DATA".
:> 
:> Alun.
:> ~~~~
:> -- 
:> Texas Imperial Software   | Find us at http://www.wftpd.com or email
:> 1602 Harvest Moon Place   | alun@xxxxxxxxxx
:> Cedar Park TX 78613-1419  | WFTPD, WFTPD Pro are Windows FTP 
:> servers. Fax/Voice +1(512)258-9858 | Try our NEW client 
:> software, WFTPD Explorer.
:> 
:>