On Thu, Mar 21, 2013 at 08:29:38AM -0700, Bradley Giesbrecht wrote:
> If you have mod_rewrite available this appears to work around the problem for
> me:
> ...
> RewriteCond %{SCRIPT_FILENAME} .+\.p.+hp$ [NC]
> RewriteRule ^(.*)$ http://%{HTTP_HOST} [L,QSA]
> ...
Be warned that doing this will only fix the scpecifc attack mentioned in
the ticket. The unicode bytes could however also be added between
"<filename>.ph" and "p" instead of between "p" and "hp".
So, your solution is not a secure workaround!
Also, there probably are other unicode symbols that can be used in this
place to exploit the vulnerability.
--
Clemens Lang
_______________________________________________
macports-dev mailing list
[email protected]
https://lists.macosforge.org/mailman/listinfo/macports-dev
