Your Daily Source for Apache News and Information  
Breaking News Preferences Contribute Triggers Link Us Search About
Apache Today [Your Apache News Source] To

Apache HTTPD Links
The Apache Software Foundation
Apache XML Project
The Jakarta Project
Apache Project
The Apache FAQ
PHP Server Side Scripting
Apache-Perl Integration Project
The Java Apache Project
Apache Module Registry
Apache-Related Projects
The Linux Channel at
Apache Today
Enterprise Linux Today
BSD Today
Linux Central
Linux Planet
Linux Start
Just Linux
Linux Apps
Linux Programming
Linux Today
All Linux Devices
BSD Central
EnGarde Linux advisory: Apache directory listing vulnerability
Jun 21, 2001, 21 :19 UTC (1 Talkback[s]) (3007 reads)

| EnGarde Secure Linux Security Advisory                   June 20, 2001 |
|                           ESA-20010620-02 |
|                                                                        |
| Package:  apache                                                       |
| Summary:  An attacker can bypass index files and retrieve a directory  |
|           listing.                                                     |

  EnGarde Secure Linux is a secure distribution of Linux that features
  improved access control, host and network intrusion detection, Web
  based secure remote management, complete e-commerce using AllCommerce,
  and integrated open source security tools.

- --------
  There is a vulnerability in apache by which an attacker can get a
  directory listing even when an index file (such as index.html) is

- ------
  By sending apache a very long path containing slashes, an attacker can
  trick mod_negotiation and mod_dir/mod_autoindex into displaying a
  directory listing.  This was fixed in apache version 1.3.18 (which was
  an internal release not made available to the public).  This updated
  package will now return a 403 (FORBIDDEN) when such a request is made.

- --------
  All users should upgrade to the most recent version, as outlined in
  this advisory.  All updates can be found at:

  Before upgrading the package, the machine must either:

    a) be booted into a "standard" kernel; or
    b) have LIDS disabled.

  To disable LIDS, execute the command:

    # /sbin/lidsadm -S -- -LIDS_GLOBAL

  To install the updated package, execute the command:

    # rpm -Uvh 

  Once the updated package is installed, you need to restart it:

    # /etc/init.d/httpd restart

  To re-enable LIDS (if it was disabled), execute the command:

    # /sbin/lidsadm -S -- +LIDS_GLOBAL

  To verify the signature of the updated packages, execute the command:

    # rpm -Kv 

- ----------------
  These updated packages are for EnGarde Secure Linux 1.0.1 (Finestra).

  Source Packages:

      MD5 Sum:  23e58c358deef336067d165b51ed7b3d

  Binary Packages:

      MD5 Sum:  084e9b7630af62f540e539e7a66af559

      MD5 Sum:  aab4dc51aca297660eee675a56fc506b

- ----------
  Guardian Digital's public key:

  Credit for the discovery of this bug goes to:
    Martin Kraemer

  Apache's Official Web Site:

  Apache's Changelog:

- --------------------------------------------------------------------------
$Id: ESA-20010620-02-apache,v 1.3 2001/06/20 18:51:29 rwm Exp $
- --------------------------------------------------------------------------
Author: Ryan W. Maple,  
Copyright 2001, Guardian Digital, Inc.

  Current Newswire:
Apache 2.0.32 beta is available

Everything Solaris: Apache: The Basics

Apache Jakarta James Mailserver v2.0a2 Released

PostgreSQL v7.2 Final Release

Daemon News: Multiple webservers behind one IP address

Zend Technologies launches Zend Studio 2.0

NuSphere first to enable development of PHP web services

Covalent Technologies raises $18 million in venture capital

Apache 1.3.23 released

wdvl: Build Your Own Database Driven Website Using PHP and MySQL: Part 4

 Talkback(s) Name  Date
Hi, I'm using apache win apache v1.3.12, and it doesn't seem to be affec ...   Win Apache v 1.3.12 affected ?   
  Feb 9, 2002, 04:08:54
Enter your comments below.
Your Name: Your Email Address:

Subject: CC: [will also send this talkback to an E-Mail address]

See our talkback-policy for or guidelines on talkback content.

About Triggers Media Kit Security Triggers Login

All times are recorded in UTC.
Linux is a trademark of Linus Torvalds.
Powered by Linux 2.4, Apache 1.3, and PHP 4
Copyright 2002 INT Media Group, Incorporated All Rights Reserved.
Legal Notices,  Licensing, Reprints, & Permissions,  Privacy Policy.