Re: release critical bug in apache2.2?
On Thu, Nov 02, 2006 at 03:32:39PM +0100, Bastian Venthur <expires-2007@venthur.de> wrote:
> Hi
>
> I've just upgraded #393913 from minor to important.
>
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=393913
>
> Somebody just mailed me that this bug is release critical since it
> allows to read/download php-scripts (like index.php).
>
> Can somebody confirm that this bug is RC or should I just keep it important?
DirectoryIndex tells apache which file(s) it may use when the url points
to a directory, instead of creating an index of the directory itself, if
allowed to.
The default value for DirectoryIndex is index.html, which
obviously forgets index.php. But that doesn't mean index.php will be
readable as source. It only means that the auto index will be displayed
if no index.html is present and if allowed to.
Auto-indexes are enabled only in /var/www/apache2-default and
/usr/share/apache2/icons by default, so it is not likely to leak any
unexpected file list.
So no, that doesn't grant an RC bug for these reasons.
On the other hand, it breaks configurations that used to work... (sites
relying on this index.php setting will get 403 errors after upgrade from
2.0)
Mike
Reply to: