> Right. On Unix "WEB-INF" and "WEB-INF.." are two different, legal file > names. On Windows, trailing dots seem to be ignored, so "WEB-INF" and > "WEB-INF.." are just two names for the same file. This also works if the > filename already has an extension, so for example "foo.html" and > "foo.html....." are the same file, too. I wonder whether that can be > exploited, too: Get the contents of a CGI script by requesting > "foo.cgi."? I checked it on our Windows 2000 Server running Apache 2.0.48, it didn't work for the .pl-scripts. I.e. "download.pl." instead of "download.pl" gave the output of the actual script. Oliver
