[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] FYI: Apache httpd NoFollowSymLink follows symlinks feature

To: halfdog <me@xxxxxxxxxxx>
Subject: Re: [Full-disclosure] FYI: Apache httpd NoFollowSymLink follows symlinks feature
From: Ferenc Kovacs <tyra3l@xxxxxxxxx>
Date: Fri, 24 Jun 2011 20:24:01 +0200

> The
>>
> FAQ says: "You can usually avoid problems by either finding the
> Options directive that already applies to a specific directory and
> changing it, or by putting your Options directive inside the most
> specific possible <Directory> section."
>
> The option is in the most specific directory section and it also takes
> effect, returning forbidden on http request. But when you use the
> RenameLoop program in parallel, it fails to detect the symlink and
> delivers the linked data. This specific TOCTOU issue is known and part
> of the apache specification.
>

I didn't mean to imply otherwise, I've just explained what does the
+/- before an option does.

Tyrael

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] FYI: Apache httpd NoFollowSymLink follows symlinks feature
  - From: halfdog
- Re: [Full-disclosure] FYI: Apache httpd NoFollowSymLink follows symlinks feature
  - From: Christian Sciberras
- Re: [Full-disclosure] FYI: Apache httpd NoFollowSymLink follows symlinks feature
  - From: Ferenc Kovacs
- Re: [Full-disclosure] FYI: Apache httpd NoFollowSymLink follows symlinks feature
  - From: halfdog

Prev by Date: Re: [Full-disclosure] Apple Updates SA-2011-06-23-1 and Security Update 2011-004
Next by Date: [Full-disclosure] XSS and AoF vulnerabilities in Drupal
Previous by thread: Re: [Full-disclosure] FYI: Apache httpd NoFollowSymLink follows symlinks feature
Next by thread: [Full-disclosure] ASHX, ASMX or What?
Index(es):
- Date
- Thread