On Tuesday 04:57 PM 8/19/2008, Rusty Brooks wrote:
>  Personally I can't
imagine any persuasive argument that a caching mechanism that can easily confuse /usr/local/private/var/rootpass and /var/tmp/verisign/certs/webcert.txt should be enabled by default in a web server.

Oh, come on.  Only if you're rapidly creating and deleting these files.

Yes, I've explained the conditions several times. The point was that the files can be in completely different locations in the filesystem with completely different names, and may have secure contents.

Again: this is not an academic point. This is an actual bug encountered in actual code, resulting in data corruption (effectively) and possible information leakage--and all because "ns_returnfile X" may not actually return file X. I don't doubt that there are other people who are also at risk due to this behavior of ns_returnfile/fastpath.

If it's no big deal for you, great, but the security implications are nonetheless serious.

- John


--
AOLserver - http://www.aolserver.com/

To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> 
with the
body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: 
field of your email blank.

Reply via email to