Date: Sat, 12 Aug 2000 08:32:40 -0700 (PDT) From: Ian Kallen <spidaman@salon.com> To: Vladimir Melnik <raccoon@art-service.net.ua> Cc: freebsd-security@FreeBSD.ORG Subject: Re: php-3.0.12 and apache-1.3.9: it this a bug or some feature? Message-ID: <Pine.BSF.4.10.10008120829190.41267-100000@viagara.salon.com> In-Reply-To: <20000812081705.I98373@art-service.net.ua>
next in thread | previous in thread | raw e-mail | index | archive | help
Where is the freebsd-security issue? This has to do with Apache and PHP configuration, settings you might have that can produce confusing results interpretting PATH_INFO. Therefore comp.infosystems.www.servers.unix is a more appropriate place to ask this and without posting a representative httpd.conf, probably difficult to answer. Today, Vladimir Melnik <raccoon@art-service.net.ua> frothed and...: > Hello, citizens. > > Tonight I saw strange behavior of apache-1.3.9 with php-3.0.12 on > one of FreeBSD-3.4 box and I can't understand it. Look... I have > some php3-scripts at my web-server. Ok, let's run Internet > Browser and type URL: > > http://my.web.server/index.html > > Oh, well, it's ok, file `index.html' exists and my apache shows > it. Now let's check this: > > http://my.web.server/something.php3 > > Wow! It's ok too, `cause this file exists too! ;-) Now we'll do > something unusual... > > http://my.web.server/something.php3/boo-boo/oops/ > > or even > > http://my.web.server/something.php3/../../../../ > > Oops... I can see this document, but, #$%%^%^!.. But where is all > images?! ;-) I can't see any of my <img src="..."> displayed > correctly. 404. But why do I see html-document? Ok, let's try: > > http://my.web.server/index.html/boo-boo/oops/ > > 404, sir. Ok. But what's happened to my php?! ;-) It's interesting > to think about, isn't it? ;-) What is your guessings? > > -- Salon Internet http://www.salon.com/ Manager, Software and Systems "Livin' La Vida Unix!" Ian Kallen <idk@salon.com> / AIM: iankallen / Fax: (415) 354-3326 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.10008120829190.41267-100000>