From owner-freebsd-security Fri Aug 11 22:17: 8 2000 Delivered-To: freebsd-security@freebsd.org Received: from shiva.art-service.net.ua (shiva.art-service.net.ua [194.44.107.1]) by hub.freebsd.org (Postfix) with ESMTP id 6B6D037BB47 for ; Fri, 11 Aug 2000 22:17:00 -0700 (PDT) (envelope-from raccoon@shiva.art-service.net.ua) Received: (from raccoon@localhost) by shiva.art-service.net.ua (8.9.3/8.9.3) id IAA34340 for freebsd-security@freebsd.org; Sat, 12 Aug 2000 08:17:05 +0300 (EEST) (envelope-from raccoon) Date: Sat, 12 Aug 2000 08:17:05 +0300 From: Vladimir Melnik To: freebsd-security@freebsd.org Subject: php-3.0.12 and apache-1.3.9: it this a bug or some feature? Message-ID: <20000812081705.I98373@art-service.net.ua> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.4i X-Homepage: http://raccoon.art-service.net.ua/ X-Operating-System: FreeBSD 3.3-RELEASE Organisation: ISP "ART-service" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, citizens. Tonight I saw strange behavior of apache-1.3.9 with php-3.0.12 on one of FreeBSD-3.4 box and I can't understand it. Look... I have some php3-scripts at my web-server. Ok, let's run Internet Browser and type URL: http://my.web.server/index.html Oh, well, it's ok, file `index.html' exists and my apache shows it. Now let's check this: http://my.web.server/something.php3 Wow! It's ok too, `cause this file exists too! ;-) Now we'll do something unusual... http://my.web.server/something.php3/boo-boo/oops/ or even http://my.web.server/something.php3/../../../../ Oops... I can see this document, but, #$%%^%^!.. But where is all images?! ;-) I can't see any of my displayed correctly. 404. But why do I see html-document? Ok, let's try: http://my.web.server/index.html/boo-boo/oops/ 404, sir. Ok. But what's happened to my php?! ;-) It's interesting to think about, isn't it? ;-) What is your guessings? -- V.Melnik P.S. Sorry for my English, please. :-) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message