Re: apache security issue (with upstream new release)

To: Lupe Christoph <lupe@lupe-christoph.de>
Cc: debian-security@lists.debian.org, willy@www.linux.org.uk
Subject: Re: apache security issue (with upstream new release)
From: Matthew Wilcox <willy@debian.org>
Date: Fri, 31 Oct 2003 14:12:00 +0000
Message-id: <[🔎] 20031031141200.GV25237@parcelfarce.linux.theplanet.co.uk>
In-reply-to: <[🔎] 1067609246.3fa26c9e2262b@www.lupe-christoph.de>
References: <[🔎] 200310291513.h9TFDcB23039@mms-r00.iijmio.jp> <[🔎] 20031030060940.GA6350@dijkstra.csh.rit.edu> <[🔎] 200310300804.h9U84ma21199@mms-r00.iijmio.jp> <[🔎] 20031030163443.GD6350@dijkstra.csh.rit.edu> <44749.80.58.1.46.1067532574.squirrel@www.hosting-seguridad.com> <20031030172109.GJ6350@dijkstra.csh.rit.edu> <[🔎] cgn2qv8ri3g7dcqarjd8vi248pm5952c9i@4ax.com> <[🔎] 20031031052234.GA21747@zionlth.org> <[🔎] 1067609246.3fa26c9e2262b@www.lupe-christoph.de>

Hey, morons, don't drop people from the CC.  Otherwise they'll never
know what you're saying.

On Fri, Oct 31, 2003 at 03:07:26PM +0100, Lupe Christoph wrote:
> Quoting Phillip Hofmeister <plhofmei@zionlth.org>:
> 
> > I believe your justification can be found:
> 
> > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=218188
> 
> > I'm not saying I agree fully with it...but I do understand it...
> 
> Given that some of the affected directives can be used in .htaccess
> files, the potential for an ordinary user to exploit this is there.
> This allows access to the user the Apache work processes run as. Not
> much, but depending on local setup, this can be harmful.

But if a malicious user has access to .htaccess, you're already fucked
five ways from sunday.

-- 
"It's not Hollywood.  War is real, war is primarily not about defeat or
victory, it is about death.  I've seen thousands and thousands of dead bodies.
Do you think I want to have an academic debate on this subject?" -- Robert Fisk

Reply to:

References:
- apache security issue (with upstream new release)
  - From: Hideki Yamane <henrich@iijmio-mail.jp>
- Re: apache security issue (with upstream new release)
  - From: Matt Zimmerman <mdz@debian.org>
- Re: apache security issue (with upstream new release)
  - From: Hideki Yamane <henrich@iijmio-mail.jp>
- Re: apache security issue (with upstream new release)
  - From: Matt Zimmerman <mdz@debian.org>
- Re: apache security issue (with upstream new release)
  - From: Roman Medina <roman@rs-labs.com>
- Re: apache security issue (with upstream new release)
  - From: Phillip Hofmeister <plhofmei@zionlth.org>
- Re: apache security issue (with upstream new release)
  - From: Lupe Christoph <lupe@lupe-christoph.de>

Prev by Date: Re: apache security issue (with upstream new release)
Next by Date: Re: Transparent bridge firewall with bridge-nf
Previous by thread: Re: apache security issue (with upstream new release)
Next by thread: Re: apache security issue (with upstream new release)
Index(es):
- Date
- Thread