OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: php-3.0.12 and apache-1.3.9: it this a bug or some feature?
From: Vladimir Melnik (raccoonart-service.net.ua)
Date: Sat Aug 12 2000 - 00:17:05 CDT

Hello, citizens.

        Tonight I saw strange behavior of apache-1.3.9 with php-3.0.12 on
        one of FreeBSD-3.4 box and I can't understand it. Look... I have
        some php3-scripts at my web-server. Ok, let's run Internet
        Browser and type URL:
        
                http://my.web.server/index.html
        
        Oh, well, it's ok, file `index.html' exists and my apache shows
        it. Now let's check this:

                http://my.web.server/something.php3

        Wow! It's ok too, `cause this file exists too! ;-) Now we'll do
        something unusual...

                http://my.web.server/something.php3/boo-boo/oops/

        or even

                http://my.web.server/something.php3/../../../../

        Oops... I can see this document, but, #$%%^%^!.. But where is all
        images?! ;-) I can't see any of my <img src="..."> displayed
        correctly. 404. But why do I see html-document? Ok, let's try:

                http://my.web.server/index.html/boo-boo/oops/

        404, sir. Ok. But what's happened to my php?! ;-) It's interesting
        to think about, isn't it? ;-) What is your guessings? 

-- 
V.Melnik

P.S. Sorry for my English, please. :-)

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message