>Number: 2030 >Category: general >Synopsis: spelling error possibilities include files that shouldn't be >seen >Confidential: no >Severity: serious >Priority: medium >Responsible: apache >State: open >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Thu Apr 2 11:10:01 PST 1998 >Last-Modified: >Originator: [EMAIL PROTECTED] >Organization: apache >Release: 1.3b5 >Environment: Sun Solaris 2.5 from uname -a: SunOS barrett-1 5.5.1 Generic_103640-12 sun4m sparc SUNW,SPARCstation-5 >Description: When the client requests a URL that does not exist, and mod_speling cannot find a single replacement, it lists many possibilities (code 300, multiple choices). Those include URLs that, when selected, generate 403 (or other) errors because they are forbidden. In fact, the read permissions are such that the user that runs the httpd (nobody) should be unable to see the files. >How-To-Repeat: http://classics.mit.edu/Tacitus/histories.123.html
the files ending in .gz have file permissions 400, where the owner is not the userid of the httpd. >Fix: >Audit-Trail: >Unformatted: [In order for any reply to be added to the PR database, ] [you need to include <[EMAIL PROTECTED]> in the Cc line ] [and leave the subject line UNCHANGED. This is not done] [automatically because of the potential for mail loops. ]
