On Thu, Nov 02, 2006 at 03:32:39PM +0100, Bastian Venthur <[EMAIL PROTECTED]> wrote: > Hi > > I've just upgraded #393913 from minor to important. > > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=393913 > > Somebody just mailed me that this bug is release critical since it > allows to read/download php-scripts (like index.php). > > Can somebody confirm that this bug is RC or should I just keep it important?
DirectoryIndex tells apache which file(s) it may use when the url points to a directory, instead of creating an index of the directory itself, if allowed to. The default value for DirectoryIndex is index.html, which obviously forgets index.php. But that doesn't mean index.php will be readable as source. It only means that the auto index will be displayed if no index.html is present and if allowed to. Auto-indexes are enabled only in /var/www/apache2-default and /usr/share/apache2/icons by default, so it is not likely to leak any unexpected file list. So no, that doesn't grant an RC bug for these reasons. On the other hand, it breaks configurations that used to work... (sites relying on this index.php setting will get 403 errors after upgrade from 2.0) Mike -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
