ACCESS CONTROL PROBLEM in NCSA httpd

robm@ncsa.uiuc.edu (Rob McCool)
Errors-To: listmaster@www0.cern.ch
Date: Fri, 25 Mar 1994 10:02:46 --100
Message-id: <9403250859.AA20232@void.ncsa.uiuc.edu>
Errors-To: listmaster@www0.cern.ch
Reply-To: robm@ncsa.uiuc.edu
Originator: www-talk@info.cern.ch
Sender: www-talk@www0.cern.ch
Precedence: bulk
From: robm@ncsa.uiuc.edu (Rob McCool)
To: Multiple recipients of list <www-talk@www0.cern.ch>
Subject: ACCESS CONTROL PROBLEM in NCSA httpd
X-Listprocessor-Version: 6.0c -- ListProcessor by Anastasios Kotsikonas
X-Mailer: Mail User's Shell (7.2.5 10/14/92)
X-Mailer: Mail User's Shell (7.2.5 10/14/92)
Content-Length: 921


A vulnerability has been identified with NCSA httpd 1.1's access
control. The impact of this is that if you have files which are
protected by httpd's access control via the global ACF access.conf,
the protection can be circumvented and access can be gained to the
files regardless of the client's DNS hostname, host IP address, or
HTTP user name.

Any users of NCSA httpd 1.1 should pick up a patch from
ftp://ftp.ncsa.uiuc.edu/Web/ncsa_httpd/httpd_1.1/httpd-access-patch and
recompile httpd immediately. The distribution binaries and .tar files
have also been updated so that binary users can install a new copy of
the httpd binary and have the patch installed.

Thanks for your patience.

--Rob

--
Rob McCool, robm@ncsa.uiuc.edu
Software Development Group, National Center for Supercomputing Applications
It was working ten minutes ago, I swear...
<A HREF="http://hoohoo.ncsa.uiuc.edu/~robm/sg.html">A must see.</A>