The contract type is `' with a response time of 3 business hours.
A first analysis should be sent before: Wed Apr 02 09:00:00 PST 1997
>Number: 297
>Category: mod_proxy
>Synopsis: Allow/Deny proxy module inconsistant behavior
>Confidential: no
>Severity: critical
>Priority: medium
>Responsible: apache (Apache HTTP Project)
>State: open
>Class: sw-bug
>Submitter-Id: apache
>Arrival-Date: Tue Apr 1 14:50:00 1997
>Originator: [EMAIL PROTECTED]
>Organization:
apache
>Release: 1.2b7
>Environment:
Linux/i386 Redhat 4.0
>Description:
The Allow and Deny part of the proxy module does not work correctly as far as I
can tell. I have used the syntax as recommended in the docs:
<Directory proxy:*>
order deny,allow
deny from all
allow from 128.104.30.130 128.104.20.10
</Directory>
But, this does not work correctly. It does deny everyone to things like
GET http://www.linux.org/
or
GET http://www.ssc.org/
But allows everyone access to:
GET http://www.linux.org/index.html
or
GET http://www.linux.org/help/index.html
Basically, it lets everyone through if the URL they request doesn't end with /
>How-To-Repeat:
Just setup apache as a proxy and try and limit access.
>Fix:
I tried to dig through the code but no luck yet. This is a big security hole
for anyone running apache as a proxy.
Maybe my <Directory proxy:*> syntax is wrong in the access.conf file%3
>Audit-Trail:
>Unformatted:
