Bug 30874 - Apache 1.3.19 fixes security problem with mod_negotiation
Summary: Apache 1.3.19 fixes security problem with mod_negotiation
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: apache   
(Show other bugs)
Version: 7.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact: David Lawrence
URL:
Whiteboard:
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2001-03-06 22:11 UTC by Arenas Belon, Carlo Marcelo
Modified: 2007-04-18 16:32 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2001-03-07 14:44:42 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Arenas Belon, Carlo Marcelo 2001-03-06 22:11:39 UTC
As explained on http://www.apache.org/dist/CHANGES_1.3

there was a dangerous interacion between the pre-1.3.18 mod_negotiation and
mod_dir/mod_autoindex that could make the Apache server to show the listing
of a directory instead of the negociated index.html if a very long path was
used (one could be created using slashes and dot artificially)

taking that all three modules are enabled on default on RedHat all what is
needed is that someone enables the MultiView option (as on /icons) to
become vulnerable.

Comment 1 Arenas Belon, Carlo Marcelo 2001-03-07 14:44:31 UTC
forgot to mention mod_negotiation on subject

Comment 2 Nalin Dahyabhai 2002-01-18 18:11:27 UTC
The currently-released errata incorporates these fixes.


Note You need to log in before you can comment on or make changes to this bug.