On 10/5/06, Ed Sawicki <ed@xxxxxxxxxxxx> wrote:
If I set AllowEncodedSlashs On, the request still results in a 404 message because of the other obfuscated characters. I'll try Apache version 2.2 later. As I said earlier, I'm happy that Apache behaves this way but I'd like to know why Apache/PHP sites are so vulnerable to attacks that use obfuscation.
Can you cite some examples? Often the obfiscation happens in the query string, which apache just passes along to the applicatoin. Joshua. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|