Package: libembperl-perl Version: 2.5.0~rc3-1~bpo70+1 Severity: important Tags: upstream
Dear Maintainer, The Embperl handler discloses the full local file path when displaying 404 page. Hence any request to a file ending in .epl will reveal the document root configured for the virtual host * What was the outcome of this action? GET localhost/aksndlaksndklajnd.epl | grep /var/www [1703]ERR: 404: aksndlaksndklajnd.epl(1): Not found '/var/www/aksndlaksndklajnd.epl', searched: No such file or directory * What outcome did you expect instead? Not disclosing that the webroot is /var/www, ie: Not found: /aksndlaksndklajnd.epl -- System Information: Debian Release: 7.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages libembperl-perl depends on: ii libc6 2.13-38 ii libwww-perl 6.04-1 ii libxml2 2.8.0+dfsg1-7+nmu2 ii libxslt1.1 1.1.26-14.1 ii perl 5.14.2-21+deb7u1 ii perl-base [perlapi-5.14.2] 5.14.2-21+deb7u1 Versions of packages libembperl-perl recommends: ii apache2-mpm-prefork 2.2.22-13 ii libapache-sessionx-perl 2.01-4 ii libapache2-mod-perl2 2.0.7-3 Versions of packages libembperl-perl suggests: pn libdbix-recordset-perl <none> pn libjs-prototype <none> pn mmm-mode <none> -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
