On Sun, 11 Sep 2005, Henrik Nordstrom wrote:
> On Sat, 10 Sep 2005, Merton Campbell Crockett wrote:
>
> > One element in common with this site and the one in the Bugzilla report
> > mentioned by Henrik Nordstrom is that they both use the Apache Advanced
> > Extranet Server 2.0.48.
>
> Only 2 of 3 so far..
>
> > I would suspect that mod_rewrite is being used instead of mod_proxy to
> > provide access to internal content. Squid is appending a slash and is
> > causing the security check to match the regex ^.*/$. The following will
> > work, as well. :)
>
> Interesting theory, but does not explain the inverse max-age dependency...
No, it does not.
Is there an inverse max-age dependency? The behaviour of the VATLogic and
Mufreesboro web sites occurs regardless of max-age. Both sites return a
403 (Forbidden) status when the URL references DocumentRoot.
The VATLogic site will return a 403 (Forbidden) status for any URL that
explicitly references a directory, i.e. the URL is terminated by a "/".
Neither the directory nor the path to the directory need exist.
Both sites are using the Apache-AdvancedExtranetServer. The name suggests
that this is a variant of the Apache HTTP Server configured to sit on the
organisation's security perimeter and provide access to internal web
content. It, also, suggests that Apache's mod_rewrite module is being
used to implement standard security policies and access control.
There may be an inverse max-age dependency but in these two instances I
suspect that it is a "red-herring". There is a simpler answer. Access is
being denied because the request appears to be attempting to retrieve a
directory listing.
Merton Campbell Crockett
--
BEGIN: vcard
VERSION: 3.0
FN: Merton Campbell Crockett
ORG: General Dynamics Advanced Information Systems;
Intelligence and Exploitation Systems
N: Crockett;Merton;Campbell
EMAIL;TYPE=internet: [EMAIL PROTECTED]
TEL;TYPE=work,voice,msg,pref: +1(805)497-5045
TEL;TYPE=work,fax: +1(805)497-5050
TEL;TYPE=cell,voice,msg: +1(805)377-6762
END: vcard
