ACCESS CONTROL PROBLEM in NCSA httpd

Rob McCool ([email protected])
Fri, 25 Mar 1994 10:02:46 --100


A vulnerability has been identified with NCSA httpd 1.1's access
control. The impact of this is that if you have files which are
protected by httpd's access control via the global ACF access.conf,
the protection can be circumvented and access can be gained to the
files regardless of the client's DNS hostname, host IP address, or
HTTP user name.

Any users of NCSA httpd 1.1 should pick up a patch from
ftp://ftp.ncsa.uiuc.edu/Web/ncsa_httpd/httpd_1.1/httpd-access-patch and
recompile httpd immediately. The distribution binaries and .tar files
have also been updated so that binary users can install a new copy of
the httpd binary and have the patch installed.

Thanks for your patience.

--Rob

--
Rob McCool, [email protected]
Software Development Group, National Center for Supercomputing Applications
It was working ten minutes ago, I swear...
<A HREF="http://hoohoo.ncsa.uiuc.edu/~robm/sg.html">A must see.</A>