Site Navigation

Date:      Sat, 12 Aug 2000 08:32:40 -0700 (PDT)
From:      Ian Kallen <spidaman@salon.com>
To:        Vladimir Melnik <raccoon@art-service.net.ua>
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: php-3.0.12 and apache-1.3.9: it this a bug or some feature?
Message-ID:  <Pine.BSF.4.10.10008120829190.41267-100000@viagara.salon.com>
In-Reply-To: <20000812081705.I98373@art-service.net.ua>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

Where is the freebsd-security issue?  This has to do with Apache and PHP
configuration, settings you might have that can produce confusing results
interpretting PATH_INFO.  Therefore comp.infosystems.www.servers.unix is a
more appropriate place to ask this and without posting a representative 
httpd.conf, probably difficult to answer.

Today, Vladimir Melnik <raccoon@art-service.net.ua> frothed and...: 
> Hello, citizens.
> 
> 	Tonight I saw strange behavior of apache-1.3.9 with php-3.0.12 on
> 	one of FreeBSD-3.4 box and I can't understand it. Look... I have
> 	some php3-scripts at my web-server. Ok, let's run Internet
> 	Browser and type URL:
> 	
> 		http://my.web.server/index.html
> 	
> 	Oh, well, it's ok, file `index.html' exists and my apache shows
> 	it. Now let's check this:
> 
> 		http://my.web.server/something.php3
> 
> 	Wow! It's ok too, `cause this file exists too! ;-) Now we'll do
> 	something unusual...
> 
> 		http://my.web.server/something.php3/boo-boo/oops/
> 
> 	or even
> 
> 		http://my.web.server/something.php3/../../../../
> 
> 	Oops... I can see this document, but, #$%%^%^!.. But where is all
> 	images?! ;-) I can't see any of my <img src="..."> displayed
> 	correctly. 404. But why do I see html-document? Ok, let's try:
> 
> 		http://my.web.server/index.html/boo-boo/oops/
> 
> 	404, sir. Ok. But what's happened to my php?! ;-) It's interesting
> 	to think about, isn't it? ;-) What is your guessings?
> 
> 

--
Salon Internet 				http://www.salon.com/
  Manager, Software and Systems "Livin' La Vida Unix!"
Ian Kallen <idk@salon.com> / AIM: iankallen / Fax: (415) 354-3326 



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.10008120829190.41267-100000>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact