Bug 30874 - Apache 1.3.19 fixes security problem with mod_negotiation
Apache 1.3.19 fixes security problem with mod_negotiation
Product: Red Hat Linux
Classification: Retired
Component: apache (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
David Lawrence
: Security
Depends On:
  Show dependency treegraph
Reported: 2001-03-06 17:11 EST by Arenas Belon, Carlo Marcelo
Modified: 2007-04-18 12:32 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2001-03-07 09:44:42 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Arenas Belon, Carlo Marcelo 2001-03-06 17:11:39 EST
As explained on http://www.apache.org/dist/CHANGES_1.3

there was a dangerous interacion between the pre-1.3.18 mod_negotiation and
mod_dir/mod_autoindex that could make the Apache server to show the listing
of a directory instead of the negociated index.html if a very long path was
used (one could be created using slashes and dot artificially)

taking that all three modules are enabled on default on RedHat all what is
needed is that someone enables the MultiView option (as on /icons) to
become vulnerable.
Comment 1 Arenas Belon, Carlo Marcelo 2001-03-07 09:44:31 EST
forgot to mention mod_negotiation on subject
Comment 2 Nalin Dahyabhai 2002-01-18 13:11:27 EST
The currently-released errata incorporates these fixes.

Note You need to log in before you can comment on or make changes to this bug.