[RndTbl] weird apache hit
Scott Toderash
scott at 100percenthelpdesk.com
Mon Feb 24 09:38:44 CST 2020
You would need to put the restrictions in the global section outside of
the virtualhost sections to deal with this.
On 2020-02-23 00:15, Trevor Cordes wrote:
> Doh. I can also confirm that you can exploit this "flaw" to read any
> file in /var/www/html and its subdirs even if other virthost <Location>
> and <Directory> rules forbid it. Further, php files get spit out
> verbatim (as source) without execution. However, you have to guess the
> exact file paths/names. Luckily I had dirindexes turned off globally!
>
> I guess the moral of the story is global docroot should never point to
> anywhere that has real files when you use virthosts for everything.
> However, once I change global docroot, I'll have to make sure every
> global setting that applies to docroot and below will be duplicated in
> the virthosts, as they may no longer apply to the subdirs... I'll have
> to look into that.
>
> Also, having all dir definitions outside of virthosts would have
> helped. I like to keep things nested though as it makes more sense to
> me to have dirs inside the only virthosts they can be accessed by.
>
> All this plus the explicit listens on only certain IPs has solved it.
> Plus, I realized that newer apaches added support for adding "https" to
> the end of a Listen to force that Listen line (port) to only talk
> https and not allow it to pretend it's port 80.
> _______________________________________________
> Roundtable mailing list
> Roundtable at muug.ca
> https://muug.ca/mailman/listinfo/roundtable
More information about the Roundtable
mailing list