OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 1st quarter (Jan-Mar) 1999: Re: HTTP REQUEST_METHOD flaw

Re: HTTP REQUEST_METHOD flaw

Kragen Sitaker (kragenPOBOX.COM)
Thu, 7 Jan 1999 16:40:26 -0500 

On Wed, 6 Jan 1999, Marc Slemko wrote:
(on <Limit GET POST>)
> This certainly isn't a new issue, and certainly isn't anything that hasn't
> been said over and over, and isn't a bug in Apache but a bug in a user's
> configuration, but people still seem to have trouble getting the message.

This is because many people are still using web pages that tell how to
configure circa-1995 NCSA httpd when they want to find out how to
configure Apache, or fix their config files.

An AltaVista search for limit-get-post finds 589 web pages -- including
http://www.apache.kr.net/ in an example access.conf! -- so probably
several times that many old web pages, memories, hastily jotted notes,
and documents around the world are providing faulty information to new
admins.

The only real solution will be to make a non-backwards-compatible
change, perhaps changing the name of the <Limit> directive.

(I'm reminded of a particular brand of small plane that used to keep
crashing with fuel-system problems on landing.  Why?  The fuel shutoff
valve handle was located where the internal heating-system shutoff
valve handle was located on another brand of small planes.  Pilots
would reach up to turn off the heat as they approached -- the better to
be more alert -- and would then discover that the engines no longer
worked.)

--
<kragenpobox.com>       Kragen Sitaker     <http://www.pobox.com/~kragen/>
[around 1998-12-23], it is amazing to watch fear and loathing and greed at
play with the more speculative Internet stocks.  To call this a tulip
craze would be a vast understatement. -- Adam Rifkin, <adamcs.caltech.edu>