Possible security problem with apache2?

To: ISP <debian-isp@lists.debian.org>
Subject: Possible security problem with apache2?
From: Carlos Acedo <carlos@pangea.org>
Date: Fri, 06 Nov 2009 14:28:05 +0100
Message-id: <[🔎] 4AF42465.3030104@pangea.org>

Hi,

I think there is a security problem with apache2 worker, I have disabledfollowSymlinks in apache, it works as excepted, but when the symboliclink name is index.html or whatever the DirectoryIndex says, I canfollow the symbolic link wherever it goes, for example:


ln -s /etc/passwd /var/www/index.html

Would show passwd contents, the thing is that only works if I don'tspecify the index file, for example http://example.org would follow thesymbolic link but http://example.org/index.html not (as expected).


Thanks in advance

Carlos.

Reply to:

Prev by Date: Re: worldwide UMTS provider
Next by Date: Re: worldwide UMTS provider
Previous by thread: Re: worldwide UMTS provider
Next by thread: Xen nat + route
Index(es):
- Date
- Thread