Our webserver is on a RedHat9 IBM e-series. We serve all files from a smbfs mounted DocumentRoot. Now we just realized that whenever we appended a "%5C" to any of our URI we could actually see the source code. For example "www.somewhere.com/index.php%5C" would let you see the index.php file's source code. No need to tell you we we're panicking. In IE which we mostly use for tests, you have to explicitely enter the code but in Firefox, as soon as you end the URI in a backslash it interprets it as "%5C". So basically we found it by doing a typo in Firefox. For the moment I transfered all the files to the webserver which has an ext2 filesystem and everything works fine but am wondering if there's anything I could do in the httpd.conf file to keep on using that setup. We tried denying files ending with a backslash or "%5c", did'nt work. We also tried using RedirectMatch or rewrite but it seems no regex works. Now the only link I can make out of this problem is that smb is a "windows type" protocol and so is the backslash. But why is it that when the DocumentRoot is on a Linux based filesystem it appends the backslash to the file name while on an smbfs it shows the code? --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|