From owner-freebsd-security  Sun Oct  8 16: 0:34 2000
Delivered-To: freebsd-security@freebsd.org
Received: from hand.dotat.at (hand.dotat.at [212.240.134.135])
	by hub.freebsd.org (Postfix) with ESMTP id 97B2337B66C
	for <security@freebsd.org>; Sun,  8 Oct 2000 16:00:32 -0700 (PDT)
Received: from fanf by hand.dotat.at with local (Exim 3.15 #3)
	id 13iPPE-000ISM-00; Sun, 08 Oct 2000 22:58:56 +0000
Date: Sun, 8 Oct 2000 22:58:55 +0000
From: Tony Finch <dot@dotat.at>
To: "Andrey A. Chernov" <ache@nagual.pp.ru>
Cc: security@freebsd.org
Subject: Re: A new problem in apache ?
Message-ID: <20001008225855.E12691@hand.dotat.at>
References: <200010010102.VAA41966@giganda.komkon.org> <20001001053035.A26403@nagual.pp.ru>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2i
In-Reply-To: <20001001053035.A26403@nagual.pp.ru>
Organization: Covalent Technologies, Inc
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

"Andrey A. Chernov" <ache@nagual.pp.ru> wrote:
>
>> Here are some example RewriteRule directives. The first is vulnerable, but the others are not
>>
>> 	RewriteRule    /test/(.*)		/usr/local/data/test-stuff/$1
>
>Looks like famous ../../../ trick can be used.

Yes, but you have to be reasonably cunning to get a ../../../.. into
the path whilst avoiding the checks for it.

I've posted more information about this problem to bugtraq.

Tony.
-- 
en oeccget g mtcaa    f.a.n.finch
v spdlkishrhtewe y    dot@dotat.at
eatp o v eiti i d.    fanf@covalent.net


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message