* "Oliver Schneider" <Borbarad@gmxpro.net> wrote: > > Right. On Unix "WEB-INF" and "WEB-INF.." are two different, legal file > > names. On Windows, trailing dots seem to be ignored, so "WEB-INF" and > > "WEB-INF.." are just two names for the same file. This also works if the > > filename already has an extension, so for example "foo.html" and > > "foo.html....." are the same file, too. I wonder whether that can be > > exploited, too: Get the contents of a CGI script by requesting > > "foo.cgi."? > I checked it on our Windows 2000 Server running Apache 2.0.48, it didn't > work for the .pl-scripts. > I.e. "download.pl." instead of "download.pl" gave the output of the actual > script. In fact, I could not find any situation running pure apache where it occurs. So I suspect the problem occurs only with the foreign resin handler which seems to do its own mapping :-( nd
