Re: [EMAIL PROTECTED] RewriteRule exposing system directories
Hi,
Samuel Vogel wrote:
> It seems like Apache just forgets about the "../". A relative path to
> "../wcf/" called from "wbb.samy.domain.de" results in the following:
> [Thu Dec 13 21:26:24 2007] [error] [client 160.94.18.117] File does not
> exist: /data/apache/users/domain.de/samy/www/wbb/wcf, referer:
> http://wbb.samy.domain.de/
>
> When I call "samy.domain.de/wbb" it works thou!
This is obvious, really. You cannot go up past the root of
wbb.samy.domain.de. Therefore to access wcf.samy.domain.de you'll have
to use the FQDN. (Apache will map the request for
wbb.samy.domain.de/../wcf to wbb.samy.domain.de/wcf)
Accessing it through samy.domain.de means that you are accessing it from
the parent directory, therefore there is a ../wcf in relation to wbb.
> I turned on the RewriteLog, but the file stays emtpy:
> RewriteLog /data/apache/rewrite.log
> RewriteLogLevel 9
>
> The rights on the file are as followed (and apache created it by itself):
> -rwxrwxrwx 1 www-data www-data 0 2007-12-13 20:20 /data/apache/rewrite.log
>
> Does the errorlog snippet already contain enough information? If not so,
> then please hint me towards how to obtain the Rewrite log!
>
> Regards,
> Samy
>
>
> Vincent Bray schrieb:
>> On 13/12/2007, Samuel Vogel <[EMAIL PROTECTED]> wrote:
>>
>>> I don't understand why it worked beforehand with my insecure
>>> RewriteRule.
>>> Also in my opinion mod_rewrite should/does not change the path, it just
>>> makes it appear different!?
>>>
>>> For example, when I call "samy.domain.de/wbb" it works, but
>>> "wbb.domain.kilu.de/" it does not work. Rewriting looks like this now:
>>>
>>> RewriteCond %{HTTP_HOST} !^www\.samy\.domain\.de
>>> RewriteCond %{HTTP_HOST} ^(www.)?([a-z0-9-]+)\.samy\.domain\.de
>>> RewriteRule (.*) %{DOCUMENT_ROOT}/%2/$1 [L]
To me this doesn't make sense. All rewriting is relative to the
DocumentRoot anyway so you shouldn't have to include it in the
RewriteRule. You can't use RewriteRule to map to arbitrary directories
in the filesystem.
I also really can't see why Apache would serve the contents of /etc if
you have your DocumentRoot set to /data/apache/users. You don't have
your DocumentRoot set to / do you?
Assuming your DocumentRoot is set to /data/apache/users then all data
served will be from within there.
If you are going to continue to use the above RewriteConds then you'll
need to escape the '.' in the second one, otherwise www3, wwwx, etc.
will match.
>>> Why does this break relative paths?
Because they try to go above the root.
>> That's hard to say without seeing the rewrite log. I don't know if ../
>> would be interpreted as part of the path in this case (I would guess
>> not, but check your error log for the paths of your 404s).
Neil.
--
Neil Hillard[EMAIL PROTECTED]
AgustaWestland http://www.whl.co.uk/
Disclaimer: This message does not necessarily reflect the
views of Westland Helicopters Ltd.
-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] RewriteRule exposing system directories
Hi, Vincent Bray wrote: > On 14/12/2007, Neil A. Hillard <[EMAIL PROTECTED]> wrote: >> To me this doesn't make sense. All rewriting is relative to the >> DocumentRoot anyway so you shouldn't have to include it in the >> RewriteRule. You can't use RewriteRule to map to arbitrary directories >> in the filesystem. > > Hi Neil, > > That's flat wrong, sorry. Try it :-) OK - I stand corrected. This looks to be something that was changed between 2.0 and 2.2... Neil. -- Neil Hillard[EMAIL PROTECTED] AgustaWestland http://www.whl.co.uk/ Disclaimer: This message does not necessarily reflect the views of Westland Helicopters Ltd. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[EMAIL PROTECTED] Content-length with 401 response.
Hi , We have implemented a filter on Apache web server to force the basic authentication for all the resources in the doc root folder. As per the RFC, we need to return 401 response to any request for a file in doc root folder. Currently we are returning WWW-Authenticate as a mandatory field and some other optional fields. We are not sure about the content-length field. We are not returning any contents with 401 response. 1) Can we skip the content-length field? 2) Is it mandatory to return content-length field with 401 responses? Here is the current header trace with our filter. GET /basic/testpage.html HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */* Accept-Language: en-us Accept-Encoding: gzip, deflate If-Modified-Since: Thu, 13 Dec 2007 08:21:36 GMT If-None-Match: "15052-61-a26c4bb7" User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.0.3705; .NET CLR 2.0.50727; InfoPath.1) Host: ps4480 Connection: Keep-Alive HTTP/1.1 401 Authorization Required Date: Thu, 13 Dec 2007 11:27:22 GMT Server: Apache/2.2.6 (Win32) WWW-Authenticate: Basic realm="By Invitation Only apache_2.2.6-win32." Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Thanks, Pradeep. DISCLAIMER == This e-mail may contain privileged and confidential information which is the property of Persistent Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Ltd. does not accept any liability for virus infected mails.
Re: [EMAIL PROTECTED] RewriteRule exposing system directories
On 14/12/2007, Neil A. Hillard <[EMAIL PROTECTED]> wrote: > To me this doesn't make sense. All rewriting is relative to the > DocumentRoot anyway so you shouldn't have to include it in the > RewriteRule. You can't use RewriteRule to map to arbitrary directories > in the filesystem. Hi Neil, That's flat wrong, sorry. Try it :-) -- noodl - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] Content-length with 401 response.
On Fri, 14 Dec 2007 15:23:05 +0530 "Pradeep" <[EMAIL PROTECTED]> wrote: > We have implemented a filter on Apache web server to force the basic > authentication for all the resources in the doc root folder. Why would you use a filter for that? > As per the RFC, we need to return 401 response to any request for a > file in doc root folder. > > Currently we are returning WWW-Authenticate as a mandatory field and > some other optional fields. You're clearly reinventing the wheel. Apache does all of this as standard. -- Nick Kew Application Development with Apache - the Apache Modules Book http://www.apachetutor.org/ - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] access.log problem
> > > Try the following: > > root> su - apache > apache> cd /var/log/apache > apache> echo test > access.log well, I think I might be making some progress, the above did in fact write test to the access.log (i physically made this log, not apache) > > That of course assumes that 'apache' is a working user, with a login > shell, but you get the idea. > > Furthermore check what your logrotate does. Are the access.log.* > files written by Apache itself (using a log statement configuration > that pipes into a log rotator) or via a cron driven logrotate? In > the latter case, Apache doesn't need to write access.log.1 and "tail > -f" on the file wouldn't be too useful. I did not touch the base config for debian etch when I installed the server last year. Im also not too familiar with logrotate, Im going to assume it is the standard debian install as I have touched nothing. Last I knew before the contents of /var/log/apache2 was deleted there was access.log, access.log.1 text files and then tars of .2 through .28. I made the access.log and access.log.1 to see if apache would write anything to it. no dice yet. > > What are the exact permissions of: /var, /var/log, /var owned by root, and root filegroup 1600755 /var/log owned by root, and root filegroup 1600755 /var/log/apache2 owned by root, and root filegroup 1600755 /var/log/apache2/access.log owned by root, root filegroup 1600644 /var/log/apache2/error.log owned by root, root filegroup 600644 I made the access.log the same permissions as error.log, was that wrong? - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] Running 2 VirtualHosts under different Users.
On Dec 14, 2007 2:47 AM, Christian Folini <[EMAIL PROTECTED]> wrote: > Hi there, > > I'd work with multiple apaches and possibly a proxy setup, > where the code writing one sits behind in the 2nd layer. Yep: http://wiki.apache.org/httpd/PrivilegeSeparation Joshua. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] Question about installing apache 2.0.59 on solaris 10
On Dec 14, 2007 1:34 AM, pdt_p <[EMAIL PROTECTED]> wrote: > > Hi... > > I download binary distribution for Apache HTTP server version 2.0.55. > i download it from : http://apache.wildit.net.au/httpd/binaries/solaris/ > in the readme.bindist and install.bindist file, it say that i have to run > install-bindist.sh > in this case my path for apahce is /home/myuser/apache2. > there is no error occur abd successfull message is display. > i try to run my apache server by execute this command: apachectl start > this error is occur: > ld.so.1: httpd: fatal: /home/myuser/apache2/lib/libaprutil-0.so.0: unknown > file type > Killed > > any idea what's wrong with my apache http server? Just download the source and compile it yourself. The binaries tend to be out of date and you run into problems when your platform doesn't exactly match the platform of the person who did the compile. Joshua. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] Question about installing apache 2.0.59 on solaris 10
pdt_p wrote: Hi... I download binary distribution for Apache HTTP server version 2.0.55. i download it from : http://apache.wildit.net.au/httpd/binaries/solaris/ in the readme.bindist and install.bindist file, it say that i have to run install-bindist.sh in this case my path for apahce is /home/myuser/apache2. there is no error occur abd successfull message is display. i try to run my apache server by execute this command: apachectl start this error is occur: ld.so.1: httpd: fatal: /home/myuser/apache2/lib/libaprutil-0.so.0: unknown file type Killed any idea what's wrong with my apache http server? Thank you End original message. - Is there some reason why you are not building from source? It isn't difficult and it will help you avoid incompatibility problems with somebody else's binary distribution that may have been compiled in a way that is incompatible with your exact configuration. Also, why not use the latest version? 2.0.55 is rather old and there are even newer versions in that branch with some rather significant fixes. However, I would recommend going with 2.2.6 or something in that branch. Dragon ~~~ Venimus, Saltavimus, Bibimus (et naribus canium capti sumus) ~~~ - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[EMAIL PROTECTED] caching of static images
A question about the caching of static images, if the response header contains both Expires and Etag, will the client browser make call to server to validate Etag is fresh. I want to avoid the 304 requests as I know the files will never change, and want to know if setting both headers causes any issues. here is the sample response. Status=OK - 200 Date=Fri, 14 Dec 2007 17:35:35 GMT Server=Apache/2.0.52 (CentOS) Last-Modified=Fri, 14 Dec 2007 10:01:16 GMT Etag="79c4df-33a-24acf300" Accept-Ranges=bytes Content-Length=826 Cache-Control=max-age=2592000 Expires=Sun, 13 Jan 2008 17:35:35 GMT Connection=close Content-Type=image/png thanks! -- View this message in context: http://www.nabble.com/caching-of-static-images-tp14339755p14339755.html Sent from the Apache HTTP Server - Users mailing list archive at Nabble.com. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[EMAIL PROTECTED] Apache 2.2 DAV/2 problem
I have a problem.
Apache 2.2 DAV/2 changed the way it handles file properties, and now mod_dav
does not work with NFS mounted partition anymore.
When files are uploaded via WebDAV, and the properties are modified, a ".DAV"
directory with associated property file(s) are created.
Apache 2.0.* used:
/uploaddir/
/uploaddir/test1.txt
/uploaddir/.DAV/test1.txt
Apache 2.2.* uses:
/uploaddir/
/uploaddir/test1.txt
/uploaddir/.DAV/test1.txt.dir
/uploaddir/.DAV/test1.txt.pag
The prior for Apache 2.0 I am guessing is a sdbm file for storing file
properties.
The later for Apache 2.2 I am guessing is gdbm files for storing file properties
The later gdbm based files is a problem for WebDAV shares for data on NFS
partitions.
We have our data NFS mounted from various systems to one local system which
provides a centralized WebDAV service.
We are in the progress of upgrading to Apache 2.2.
Upon testing we see these .DAV/.dir|.pag files attempting to be created, and
Apache hangs for WebDAV clients requesting a PROPFIND for these directories
containing these property file types.
If we remove these .dir|.pag files and restart Apache all is well again until
someone uploads/modifies a file which touches the DAV properties which Apache
attempts to store in these gdbm based files.
The Apache Lock DB is gdbm based, and the documentation says it has to be on a
local disk, which ours is.
So I set up another WebDAV share that points to a local hard disk partition, for
testing.
And this works successfully. I.E. Apache 2.2 does not hang when answering a
PROPFIND request for a directory containing a .DAV/.dir|.pag properties files.
Additionally, we have apr-util compiled with disabled support for gdbm, and
using sdbm. But apparently mod_dav just uses something specifically configured.
And I do not see an easy way to turn this off for compiling mod_dav to not use
gdbm.
Can anyone tell me how to fix this problem.
Something changed between Apache 2.0 and 2.2 to create this new predicament.
Can this be labeled as a bug in Apache 2.2?
I hope no one tells me that I just cannot share out NFS data partitions through
mod_dav. Especially since it has always been supported up until Apache 2.2 .
Here are steps to reproduce this problem:
install Fedora Core 7
install apr (latest version)
install apr-util (latest version)
install httpd (latest version)
create the directories:
/data/
/data/local-test
/data/nfs-test
NFS mount a remote NFS parition to /data/nfs-test
mount nfsserver.domain.com:/nfsexports/data/ /data/nfs-test
now configure /data/ to be served as a WebDAV share under Apache 2.2 with
mod_dav
-- apache config --
LoadModule dav_module modules/mod_dav.so
LoadModule dav_fs_module modules/mod_dav_fs.so
DAVLockDB /var/lib/dav/lockdb
DAV On
-- apache config --
Now use a WebDAV client that will update file properties, which results in a
.DAV directory being created with associated .dir and .pag gdbm files to store
the properties.
You can use the DAV client WebDrive which will expose this error in this way.
http://www.webdrive.com/
You can download a free 30 day trial to test this issue
Now connect to your webdav share
http://yourserver/data/
Now upload a test file to the server, say a file named "test1.txt" and
"test2.txt", to both local-test and nfs-test subdirectories:
/data/local-test/test1.txt
/data/nfs-test/test2.txt
Now you can attempt to refresh WebDrive's view of nfs-test and will see it has
hung.
You can now use any other WebDAV client to also experience this issue.
This is because they must all issue a PROPFIND on the test2.txt file, which will
query the .DAV/test2.txt.dir and .DAV/text2.txt.pag gdbm files.
And this is what hangs Apache 2.2, as it will never get a lock on the gdbm
files, and never finish querying the properties gdbm files, and never return a
response to the WebDAV client.
If you wait long enough, your WebDAV client will eventually time out.
You can restart Apache to get it to become unhung.
But if you issue another PROPFIND on that nfs-test directory containing
test2.txt, it will hang again.
performing a PROPFIND on the local-test will work because the propery files .dir
and .pag files are not on a NFS mounted partition and thus Apache has no
problems getting a lock on the properties files.
You can resolve the immediate issue by stopping apache, deleting the .DAV
directory and contents, and then starting Apache.
We know the problem is with these files, and that Apache is having troubles with
them because if you issue a PROPFIND on the nfs-test directory with the
.DAV/{.dir|.pag} existing, it will hang, and then when you go to stop Apache you
will notice it takes a long time trying to clean up that process, which it can;t
do and simply aborts in creating the properties files which is the cause of the
problems.
Here is a visual look at the problem:
NFS mounted WebDAV share, hangs after uploading a file test1.txt
-bash-3.1$ ls -al /data/nfs-test/
total
Re: [EMAIL PROTECTED] Question about installing apache 2.0.59 on solaris 10
Hi... Thank you for answering my question. The reason why i am not compile by my self because i don't have permission to install any application. basically i don't have permission to any root, usr and etc. I only have access to my home account. If I download the source, In my case above, is there any way to compile apache by my self but install it into my home account folder? I am a new to apache. I apologize for such a silly question. Thank you Pdt Joshua Slive-2 wrote: > > On Dec 14, 2007 1:34 AM, pdt_p <[EMAIL PROTECTED]> wrote: >> >> Hi... >> >> I download binary distribution for Apache HTTP server version 2.0.55. >> i download it from : http://apache.wildit.net.au/httpd/binaries/solaris/ >> in the readme.bindist and install.bindist file, it say that i have to run >> install-bindist.sh >> in this case my path for apahce is /home/myuser/apache2. >> there is no error occur abd successfull message is display. >> i try to run my apache server by execute this command: apachectl start >> this error is occur: >> ld.so.1: httpd: fatal: /home/myuser/apache2/lib/libaprutil-0.so.0: >> unknown >> file type >> Killed >> >> any idea what's wrong with my apache http server? > > Just download the source and compile it yourself. The binaries tend to > be out of date and you run into problems when your platform doesn't > exactly match the platform of the person who did the compile. > > Joshua. > > - > The official User-To-User support forum of the Apache HTTP Server Project. > See http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: [EMAIL PROTECTED] >" from the digest: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > -- View this message in context: http://www.nabble.com/Question-about-installing-apache-2.0.59-on-solaris-10-tp14330884p14339843.html Sent from the Apache HTTP Server - Users mailing list archive at Nabble.com. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] Question about installing apache 2.0.59 on solaris 10
pdt_p wrote: Hi... Thank you for answering my question. The reason why i am not compile by my self because i don't have permission to install any application. basically i don't have permission to any root, usr and etc. I only have access to my home account. If I download the source, In my case above, is there any way to compile apache by my self but install it into my home account folder? I am a new to apache. I apologize for such a silly question. End original message. - I am not certain but I think you can probably compile it and install it without having root access. However, if you want to run it on a privileged port (port number <= 1024), you have to have root access. Even then, I am unsure if it will start under another user account with a port number > 1024. I think it should but I don't recall for sure. Dragon ~~~ Venimus, Saltavimus, Bibimus (et naribus canium capti sumus) ~~~ - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[EMAIL PROTECTED] how to compile mod_security 2.x
I could compile mod_security-1.9.4 with Apache-2.0.61 on Solaris 8 easily but failed on 2.1.4. Seems 2.1.4 compilation is very different from 1.9.4. If some one has such experience, could you share it with me? Many Thx, Q.Xie Looking for last minute shopping deals? Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [EMAIL PROTECTED] how to compile mod_security 2.x
You are correct, the install instructions have changed for Mod 2.x. We address this issue in the documentation and in the FAQ - http://www.modsecurity.org/documentation/faq.html#d0e224 Additionally, you should probably sign up for the Mod mail-list and ask questions there - http://www.modsecurity.org/documentation/faq.html#d0e73 -- Ryan C. Barnett ModSecurity Community Manager Breach Security: Director of Training Web Application Security Consortium (WASC) Member CIS Apache Benchmark Project Lead SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC Author: Preventing Web Attacks with Apache > -Original Message- > From: Qingshan Xie [mailto:[EMAIL PROTECTED] > Sent: Friday, December 14, 2007 6:29 PM > To: users@httpd.apache.org > Subject: [EMAIL PROTECTED] how to compile mod_security 2.x > > I could compile mod_security-1.9.4 with Apache-2.0.61 on Solaris 8 easily > but failed on 2.1.4. Seems 2.1.4 compilation is very different from > 1.9.4. If some one has such experience, could you share it with me? > > Many Thx, > Q.Xie > > > > > > __ > __ > Looking for last minute shopping deals? > Find them fast with Yahoo! Search. > http://tools.search.yahoo.com/newsearch/category.php?category=shopping > > - > The official User-To-User support forum of the Apache HTTP Server Project. > See http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: [EMAIL PROTECTED] >" from the digest: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
