[users@httpd] mod_xsendfile and security issues

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I'm using mod_xsendfile (http://celebnamer.celebworld.ws/stuff/mod_xsendfile) with Apache 2.0.58 on Windows.

My scripts are issuing the x-sendfile http header and, Apache is interpreting it correctly, sending the designated file path to the client. So far, so good.

However, Apache DOES NOT remove or "swallows" the x-sendfile header. It will go along to client side, revealing to client side my internal file system paths.

I think this is a severe security vulnerability.

Can you notice the same problem ?

If not:

- Which Apache version are you using ?
- How are your scripts issuing the headers, that is, how are them spelt and in which order ?

If you're having the same problem:

- How can we fix it ?

Thanks in advance for you help !


--
Obrigado,
------------------------------------------------------------------------------
               Jose Adriano Baltieri - Analista de Sistemas
               DTI - CENTRO - UNIMEP - Universidade Metodista de Piracicaba
               PIRACICABA - SP - Brasil - Fone : (19) 3124-1858
------------------------------------------------------------------------------


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux