On Tuesday 04:57 PM 8/19/2008, Rusty Brooks wrote:
> Personally I can't
imagine any persuasive argument that a caching mechanism that can easily
confuse /usr/local/private/var/rootpass and
/var/tmp/verisign/certs/webcert.txt should be enabled by default in a
web server.
Oh, come on. Only if you're rapidly creating and deleting these files.
Yes, I've explained the conditions several times. The point was that the
files can be in completely different locations in the filesystem with
completely different names, and may have secure contents.
Again: this is not an academic point. This is an actual bug encountered
in actual code, resulting in data corruption (effectively) and possible
information leakage--and all because "ns_returnfile X" may not actually
return file X. I don't doubt that there are other people who are also at
risk due to this behavior of ns_returnfile/fastpath.
If it's no big deal for you, great, but the security implications are
nonetheless serious.
- John
--
AOLserver - http://www.aolserver.com/
To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]>
with the
body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject:
field of your email blank.