Dear Kevin, Do you mean by "filename" any absolute path names to files? Ted Liao > > http://www.apacheweek.com/issues/00-09-22 > > Security vulnerability in mod_rewrite > > The Apache development list this week contains a fix for a security issue that >affects > previous versions of Apache, including Apache 1.3.12. Apache is only vulnerable if >you use > mod_rewrite and a specific case of the directive RewriteRule. If the result of a > RewriteRule is a filename that contains regular expression references then an >attacker may > be able to access any file on the web server. > > Here are some example RewriteRule directives. The first is vulnerable, but the >others are > not > > RewriteRule /test/(.*) /usr/local/data/test-stuff/$1 > RewriteRule /more-icons/(.*) /icons/$1 > RewriteRule /go/(.*) http://www.apacheweek.com/$1 > > The patch is currently being tested and will be part of the release of Apache >1.3.13. Until > then, users should check their configuration files and not use rules that map to a >filename > such as the first example above. ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
