On Thursday 24 August 2006 12:12, Jose Adriano Baltieri wrote: > However, Apache DOES NOT remove or "swallows" the x-sendfile header. It > will go along to client side, revealing to client side my internal file > system paths. Does Header Unset x-sendfile have any effect? > I think this is a severe security vulnerability. Well, it may be unwanted, but to be a secure security vulnerability seems to imply that security depends on obscurity. > Can you notice the same problem ? I don't expect many people here use that module. Have you asked its developer? -- Nick Kew --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|