From owner-freebsd-security  Sat Aug 12  8:32:57 2000
Delivered-To: freebsd-security@freebsd.org
Received: from viagara.salon.com (viagara.salon.com [208.48.211.122])
	by hub.freebsd.org (Postfix) with ESMTP id BD4C037B763
	for <freebsd-security@FreeBSD.ORG>; Sat, 12 Aug 2000 08:32:53 -0700 (PDT)
	(envelope-from spidaman@salon.com)
Received: from localhost (spidaman@localhost)
	by viagara.salon.com (8.9.3/8.9.3) with ESMTP id IAA41298;
	Sat, 12 Aug 2000 08:32:40 -0700 (PDT)
	(envelope-from spidaman@salon.com)
X-Authentication-Warning: viagara.salon.com: spidaman owned process doing -bs
Date: Sat, 12 Aug 2000 08:32:40 -0700 (PDT)
From: Ian Kallen <spidaman@salon.com>
To: Vladimir Melnik <raccoon@art-service.net.ua>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: php-3.0.12 and apache-1.3.9: it this a bug or some feature?
In-Reply-To: <20000812081705.I98373@art-service.net.ua>
Message-ID: <Pine.BSF.4.10.10008120829190.41267-100000@viagara.salon.com>
X-fish: cod
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


Where is the freebsd-security issue?  This has to do with Apache and PHP
configuration, settings you might have that can produce confusing results
interpretting PATH_INFO.  Therefore comp.infosystems.www.servers.unix is a
more appropriate place to ask this and without posting a representative 
httpd.conf, probably difficult to answer.

Today, Vladimir Melnik <raccoon@art-service.net.ua> frothed and...: 
> Hello, citizens.
> 
> 	Tonight I saw strange behavior of apache-1.3.9 with php-3.0.12 on
> 	one of FreeBSD-3.4 box and I can't understand it. Look... I have
> 	some php3-scripts at my web-server. Ok, let's run Internet
> 	Browser and type URL:
> 	
> 		http://my.web.server/index.html
> 	
> 	Oh, well, it's ok, file `index.html' exists and my apache shows
> 	it. Now let's check this:
> 
> 		http://my.web.server/something.php3
> 
> 	Wow! It's ok too, `cause this file exists too! ;-) Now we'll do
> 	something unusual...
> 
> 		http://my.web.server/something.php3/boo-boo/oops/
> 
> 	or even
> 
> 		http://my.web.server/something.php3/../../../../
> 
> 	Oops... I can see this document, but, #$%%^%^!.. But where is all
> 	images?! ;-) I can't see any of my <img src="..."> displayed
> 	correctly. 404. But why do I see html-document? Ok, let's try:
> 
> 		http://my.web.server/index.html/boo-boo/oops/
> 
> 	404, sir. Ok. But what's happened to my php?! ;-) It's interesting
> 	to think about, isn't it? ;-) What is your guessings?
> 
> 

--
Salon Internet 				http://www.salon.com/
  Manager, Software and Systems "Livin' La Vida Unix!"
Ian Kallen <idk@salon.com> / AIM: iankallen / Fax: (415) 354-3326 



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message