DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=44161>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=44161 Summary: Configuration disclosure in HTTP header when using static built-in and 3rd party shared modules Product: Apache httpd-2 Version: 2.2.6 Platform: PC OS/Version: Linux Status: NEW Severity: critical Priority: P2 Component: Core AssignedTo: [email protected] ReportedBy: [EMAIL PROTECTED] When apache is configured with static built-in modules (such as mod_rewrite) and also 3rd party shared modules (such as mod_php), some parts of the httpd.conf (and other included files) are disclosed in the "Server" part of the HTTP header. Examples as follow, strings "<location" and "x\xb9\x1e\b": Apache/2.2.6 (Unix) mod_ssl/2.2.6 <location DAV/2 PHP/5.2.5 mod_perl/2.0.3 Perl/v5.8.8 Apache/2.2.6 (Unix) mod_ssl/2.2.6 x\xb9\x1e\b DAV/2 PHP/5.2.5 mod_perl/2.0.3 Perl/v5.8.8 Note: the disclosed part may include commented lines from the configuration file and seems to be lowercase (to be confirmed), sometimes it can "leak" hundred of characters. Note2: The disclosed part is not the same from a service reload to an another. Note3: All configuration files are in plain ASCII format with Unix-style end of line. Note4: Nothing is disclosed if the 3rd party modules aren't loaded in configuration but the presence of at least one of them is enough to have the problem. Prior to compilation, the configuration was the following: ./configure --enable-ldap --enable-so --with-ssl --enable-rewrite --enable-dav --enable-dav-fs --enable-ssl --disable-cgid --disable-cgi --enable-authnz-ldap --enable-ldap --with-ldap --enable-proxy --localstatedir=/opt/logs/apache --prefix=/opt/apache-2.2.6 It was built on a stable Debian Etch with a 2.6.23.9 kernel. Workaround: to avoid the problem, all modules must be built as shared instead of static and have to be explicitly loaded in the configuration. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
