>Number: 1701 >Category: mod_userdir >Synopsis: UserDir and absoluthe path. >Confidential: no >Severity: non-critical >Priority: medium >Responsible: apache >State: open >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Tue Jan 20 01:30:00 PST 1998 >Last-Modified: >Originator: [EMAIL PROTECTED] >Organization: apache >Release: 1.2.5 >Environment: This problem was discovered under RedHat 5.0 with linux 2.0.33 and also works with irix 6.3. In both cases compiled with gcc. >Description: If we set UserDir to an absolute path (UserDir /home/web/ for example) then apache just adds username to this directory (for ~foo is /home/web/foo). But it's possible to give . or .. as username. So if you try to access ~. you can see the listing of UserDir (in our example /home/web) if there is no index.html or equivalent. And if we use .. as username, so we try to access ~.. in server, we can see one directory up from UserDir (/home in our example). If we use ~../.. as username, the handling seems to be correct. >How-To-Repeat: Just set the UserDir to /tmp and watch your /tmp directory and / directory from browser. >Fix: Probably check for username if UserDir is given as absolute path and if it is . or .. , deny access. >Audit-Trail: >Unformatted: [In order for any reply to be added to the PR database, ] [you need to include <[EMAIL PROTECTED]> in the Cc line ] [and leave the subject line UNCHANGED. This is not done] [automatically because of the potential for mail loops. ]
