>Number: 1818 >Category: config >Synopsis: Follows symbolic links wether or not disabled >Confidential: no >Severity: serious >Priority: medium >Responsible: apache >State: open >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Mon Feb 16 16:40:00 PST 1998 >Last-Modified: >Originator: [EMAIL PROTECTED] >Organization: apache >Release: 1.2.5 RedHat >Environment: RedHat Linux 5.0 on Cyrix P166+ >Description: If I disable FollowSymLinks or FollowSymLinkIfOwner, Apache will serve a file linked anyway! I checked all my configurations, I followed the suggested security tips (disable access to / dir), but symbolic links are still functioning; note that there is no <location> directive that overrides a <directory> directive.
It is a big problem: 700 users and no control over symlinks to /etc/passwd!!! >How-To-Repeat: >Fix: >Audit-Trail: >Unformatted: [In order for any reply to be added to the PR database, ] [you need to include <[EMAIL PROTECTED]> in the Cc line ] [and leave the subject line UNCHANGED. This is not done] [automatically because of the potential for mail loops. ]
