> -----Original Message----- > From: Carrie Bartkowiak [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, June 13, 2001 11:02 PM > To: cobalt-security > Subject: Re: [cobalt-security] Bugtraq ID 2503 : Apache Artificially > Long Slash Path DirectoryListing Exploit (fwd) > > > Seems pretty simple to me... turn off Indexes! > You should be doing that anyway. The blank index.html thrown into a > directory is a lame cheat and a *lot* more work than just disabling > Indexes and being done with it. > >From another forum.... > -----Original Message----- > From: Ben Laurie [mailto:[EMAIL PROTECTED]] > Sent: Thursday, June 14, 2001 4:54 PM > To: Bugtraq > Subject: Re: Bugtraq ID 2503 : Apache Artificially Long Slash Path > Directory Listing Exploit > > > Matt Watchinski wrote: > > # Name: Apache Artificially Long Slash Path Directory > Listing Exploit > > # Author: Matt Watchinski > > # Ref: SecurityFocus BID 2503 > > # > > # Affects: Apache 1.3.17 and below > > Doh! From apache 1.3.x CHANGES file: > > Changes with Apache 1.3.18 [not released] > > *) SECURITY: The default installation could lead to mod_negotiation > and mod_dir/mod_autoindex displaying a directory listing > instead of > the index.html.* files, if a very long path was created > artificially > by using many slashes. Now a 403 FORBIDDEN is returned. > [Martin Kraemer] > > Of course, 1.3.19 _was_ released. Ages ago. > > Cheers, > > Ben. > > > -- > http://www.apache-ssl.org/ben.html > > "There is no limit to what a man can do or how far he can go if he > doesn't mind who gets the credit." - Robert Woodruff _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
