Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: Apache :: web5620.htm

Apache directory traversal via redirect ?
12th Aug 2002 [SBWID-5620]

	Apache directory traversal via redirect ?


	Apache HTTP server 2.0, non-Unix platforms


	Mark    J    Cox    In     Apache     software     foundation     alert,
	[] :


	This vulnerability has the potential to allow  an  attacker  to  inflict
	serious  damage  to  a  server,  and   reveal   sensitive   data.   This
	vulnerability affects default installations of the Apache web server.


	Credit   for   this    bug    finding    goes    to    Auriemma    Luigi


	A simple one line workaround in  the  httpd.conf  file  will  close  the
	vulnerability. Prior to the first 'Alias' or 'Redirect'  directive,  add
	the following directive to the global server configuration:

	   RedirectMatch 400 "\\\.\."


	Fixes for this vulnerability are also included  in  Apache  HTTP  server
	version 2.0.40. The 2.0.40 release also contains  fixes  for  two  minor
	path-revealing  exposures.  This  release  of  Apache  is  available  at

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH