On Sat, Mar 17, 2007 at 03:22:42PM +0100, Fili wrote: > Package: libapache-mod-suphp > Version: 0.5.2-3 > Severity: critical > > There seems to be a serious security bug when using suphp > with apache 1.3.x on Sarge (and also on Etch). >
According to a mail from Jochen Schalanda on the suphp mailing lists. It is not a bug in suphp. It's an apache misconfiguration. He gave us some interesting links: http://httpd.apache.org/docs/2.0/mod/mod_mime.html#multipleext http://httpd.apache.org/docs/1.3/mod/mod_mime.html For people wanting to strictly check the extension, he suggest using SetHandler with FilesMatch. http://httpd.apache.org/docs/2.0/mod/core.html#filesmatch http://httpd.apache.org/docs/2.0/mod/core.html#sethandler -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
