>Number: 1053
>Category: mod_negotiation
>Synopsis: "Negotiated" DirectoryIndex file listed in error if
>inaccessible
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: apache (Apache HTTP Project)
>State: open
>Class: sw-bug
>Submitter-Id: apache
>Arrival-Date: Mon Aug 25 10:10:01 1997
>Originator: [EMAIL PROTECTED]
>Organization:
apache
>Release: 1.2.1
>Environment:
OSF1 localhost V3.2 47 alpha
>Description:
My server config files contain "DirectoryIndex index.cgi index welcome default"
If I request a "directory object" such as http://host/foo/, and
the pseudo-negotiated file (index.cgi) is inaccessible, I will be presented
with a
Forbidden
You don't have permission to access /index.cgi on this server.
Notice that the hidden DirectoryIndex file name is herewith
revealed..
If there is no index.cgi, but there *is* a protected index.html,
the message changes to name "/index on this server".
Clearly too much implementation-specific information is being
included in the error message.
>How-To-Repeat:
Try to access the directory object in a multiviewed directory whose
DirectoryIndex file(s) is(are) protected.
>Fix:
None at the moment.
>Audit-Trail:
>Unformatted:
