On Fri, Dec 12, 2008 at 7:44 PM, Christopher Drost
wrote:
> Go ahead, try it. I did. Right now http://drostie.org/symlink/ is a
> symlink pointing to the folder /hidden, which is very far away from my
> DocumentRoot. It could (and did) point to my root directory at some
> point. And the symlink wa
On Thu, Dec 11, 2008 at 6:23 PM, Christopher Drost
wrote:
> After all, the FollowSymLinks attack allows any user to show anybody
> on the web the contents of your root folder with zero effort, and
> opens itself up to accidental abuses. The race condition attack looks
> relatively difficult and r
Christopher Drost wrote:
>
> The error comes when misc/security_tips.html#protectserverfiles also
> claims a resolution to this problem. The resolution consists of
> sticking the directive:
>
>
> Order Deny, Allow
> Deny from all
>
No, I don't believe it's claiming that this is the ent
>
> You said , which is not the document root or something
> relative to a users home directory.. It's the root of the
> filesystem.
>
Where on earth did I claim that was either the document
root or something relative to a users home directory?
Looking back on the original email, I was maybe a
On Fri, Dec 12, 2008 at 5:26 AM, Christopher Drost
wrote:
>>
>> How do you get out from under / with a symlink?
>>
>
> I don't understand the question. You don't "get out from under" the
> global root directory -- I'm not suggesting a break on chroot or
> something like that. You do get out from u
>
> How do you get out from under / with a symlink?
>
I don't understand the question. You don't "get out from under" the
global root directory -- I'm not suggesting a break on chroot or
something like that. You do get out from under the DocumentRoot. (You
might even get out from a chroot applied
