[Full-disclosure] Phun With Apache
Graham Reed
greed at pobox.com
Mon Apr 11 23:43:13 BST 2005
On Apr 1, 2005, at 4:19 AM, duper at willhackforfood.biz wrote:
> ## Apache follows symbolic links referenced by public_html!
> ## Even when SymLinksifOwnerMatch is set and FollowSymLinks is not!
> ## A super-easy way to gain read access on files owned by the apache
> user!
It's not (only) a mod_userdir problem.
I found the problem is fully reproducible on the intranet server I
run--but it does not use mod_userdir. It gets its work done with
AliasMatch directives.
I currently believe the culprit is the <Directory> and <DirectoryMatch>
directives are allowing symbolic links, without following the
ifOwnerMatch part of the directive.
--
"Dead people don't send spam."
Full-Disclosure is hosted and sponsored by Secunia.