On Thu, 25 Oct 2001, Rod Roark wrote: > Um, how? It's clear that all scripts will run as user apache, > but the whole point is that if you don't know the other user's > documentroot name
Well, I'd kind of missed that you were counting on the 711 directory permissions. But still... > then you can't formulate a malicious request. Sure you can. There's an ap_document_root() function, all you need is the server_rec for that vhost. The list of server_rec's is static to the core, but if you tried hard enough, I bet you could find a way to get at it. For example, while I haven't actually tried this, I just poked around in http_vhost.c and it looks like you can change r->hostname to the host you're interested in, then call ap_update_vhost_from_headers(r) and then call ap_document_root(r->server) and you've got the docroot. Even if this is broken for some reason (like I say, I didn't actually try it), there's most likely some other way to do it. This is security through obscurity at best, unfortunately. :-/ --Cliff -------------------------------------------------------------- Cliff Woolley [EMAIL PROTECTED] Charlottesville, VA
