>Number: 3208 >Category: mod_proxy >Synopsis: proxy interprets username as hostname >Confidential: no >Severity: non-critical >Priority: medium >Responsible: apache >State: open >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Wed Oct 14 06:00:01 PDT 1998 >Last-Modified: >Originator: [EMAIL PROTECTED] >Organization: apache >Release: 1.3.2 >Environment: HP-UX B.10.20 A 9000/816 gcc 2.7.2.3 >Description: Apache is configured as proxy; no local documents are to be served. When the client provides username:password in a ftp-request, apache interprets the username as its local hostname - apparently because the username happens to match de domainname of the proxy - and tries to serve a local document, which doesn't exist.
e.g.: 'ftp://apache:[EMAIL PROTECTED]/' when the proxy is in domain 'apache.org'. >How-To-Repeat: Lets say your proxy server is 'proxy.apache.org'. Let your client request 'ftp://apache:[EMAIL PROTECTED]/'. The proxy will reply '404 Not found'. If you modify the username to no longer match your domain, the request will get passed on. >Fix: >Audit-Trail: >Unformatted: [In order for any reply to be added to the PR database, ] [you need to include <[EMAIL PROTECTED]> in the Cc line ] [and leave the subject line UNCHANGED. This is not done] [automatically because of the potential for mail loops. ] [If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request ] [from a developer. ] [Reply only with text; DO NOT SEND ATTACHMENTS! ]
