My scripts are issuing the x-sendfile http header and, Apache is interpreting it correctly, sending the designated file path to the client. So far, so good.
However, Apache DOES NOT remove or "swallows" the x-sendfile header. It will go along to client side, revealing to client side my internal file system paths.
I think this is a severe security vulnerability. Can you notice the same problem ? If not: - Which Apache version are you using ?- How are your scripts issuing the headers, that is, how are them spelt and in which order ?
If you're having the same problem:
- How can we fix it ?
Thanks in advance for you help !
--
Obrigado,
------------------------------------------------------------------------------
Jose Adriano Baltieri - Analista de Sistemas
DTI - CENTRO - UNIMEP - Universidade Metodista de Piracicaba
PIRACICABA - SP - Brasil - Fone : (19) 3124-1858
------------------------------------------------------------------------------
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|