There is a vulnerability in Apache 2.0 through 2.035 that could disclose the real path to a CGI script or other file.
A vulnerability in the Apache web server could disclose sensitive information. Quoting from the Apache Change Log:
*) [Security] Added the APLOG_TOCLIENT flag to ap_log_rerror() to explicitly tell the server that warning messages should be sent to the client in addition to being recorded in the error log. Prior to this change, ap_log_rerror() always sent warning messages to the client. In one case, a faulty CGI script caused the server to send a warning message to the client that contained the full path to the CGI script. This could be considered a minor security exposure. [Bill Stoddard]
Sensitive information may be disclosed.
if you are running version 2.0, upgrade to Apache 2.036 or later.
Our thanks to the Apache group for their change log.
This document was written by Shawn V Hernan, based upon information in the Apache Change Log.
|Date First Published:
|Date Last Updated:
|2002-07-11 21:16 UTC