I'm using mod_xsendfile
(http://celebnamer.celebworld.ws/stuff/mod_xsendfile) with Apache 2.0.58
on Windows.
My scripts are issuing the x-sendfile http header and, Apache is
interpreting it correctly, sending the designated file path to the
client. So far, so good.
However, Apache DOES NOT remove or "swallows" the x-sendfile header. It
will go along to client side, revealing to client side my internal file
system paths.
I think this is a severe security vulnerability.
Can you notice the same problem ?
If not:
- Which Apache version are you using ?
- How are your scripts issuing the headers, that is, how are them spelt
and in which order ?
If you're having the same problem:
- How can we fix it ?
Thanks in advance for you help !
--
Obrigado,
------------------------------------------------------------------------------
Jose Adriano Baltieri - Analista de Sistemas
DTI - CENTRO - UNIMEP - Universidade Metodista de Piracicaba
PIRACICABA - SP - Brasil - Fone : (19) 3124-1858
------------------------------------------------------------------------------
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]