Bug#524474: FollowSymlinks / SymlinksIfOwnerMatch ignored with server-side-includes

To: Miquel van Smoorenburg <miquels@debian.org>
Cc: John Lightsey <lightsey@debian.org>, 524474@bugs.debian.org, control@bugs.debian.org
Subject: Bug#524474: FollowSymlinks / SymlinksIfOwnerMatch ignored with server-side-includes
From: Stefan Fritsch <sf@sfritsch.de>
Date: Thu, 7 May 2009 22:25:41 +0200
Message-id: <[🔎] 200905072225.41487.sf@sfritsch.de>
Reply-to: Stefan Fritsch <sf@sfritsch.de>, 524474@bugs.debian.org
In-reply-to: <[🔎] 1241317654.25658.14.camel@home>
References: <[🔎] 1241317654.25658.14.camel@home>

tags 524474 - security
severity 524474 important
thanks

On Sunday 03 May 2009, John Lightsey wrote:
> This shouldn't be tagged as a grave security issue.  The symlink
> tests in Apache are trivial to overcome with timing attacks and the
> Apache documentation explicitly states that the symlink tests
> should not be considered a security restriction.

I agree. Especially considering that all 2.0.x and 2.2.x behaved in 
this way.

Reply to:

Follow-Ups:
- Processed: Re: Bug#524474: FollowSymlinks / SymlinksIfOwnerMatch ignored with server-side-includes
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

References:
- Bug#524474: FollowSymlinks / SymlinksIfOwnerMatch ignored with server-side-includes
  - From: John Lightsey <lightsey@debian.org>

Prev by Date: Bug#526518: Seems to be a duplicate
Next by Date: Bug#527812: apr-util: FTBFS: /usr/share/apr-1.0/build/libtool: line 2229: ./dbd.lo: No such file or directory
Previous by thread: Bug#524474: FollowSymlinks / SymlinksIfOwnerMatch ignored with server-side-includes
Next by thread: Processed: Re: Bug#524474: FollowSymlinks / SymlinksIfOwnerMatch ignored with server-side-includes
Index(es):
- Date
- Thread