Uli's Web Site
[ Zathras.de - Uli's Web Site ]
Other Sites: Stories
Pix
Abi 2000
Stargate: Resurgence
Lost? Site Map!
 
 
     home | blog | moose | programming | articles >> blog

 Blog
 
 Archive
 
 Blog Topics
 

15 Most Recent [RSS]

 Less work through Xcode and shell scripts
2011-12-16 @600
 
 iTunesCantComplain released
2011-10-28 @954
 
 Dennis Ritchie deceased
2011-10-13 @359
 
 Thank you, Steve.
2011-10-06 @374
 
 Cocoa Text System everywhere...
2011-03-27 @788
 
 Blog migration
2011-01-29 @520
 
 All you need to know about the Mac keyboard
2010-08-09 @488
 
 Review: Sherlock
2010-07-31 @978
 
 Playing with Objective C on Debian
2010-05-08 @456
 
 Fruit vs. Obst
2010-05-08 @439
 
 Mixed-language ambiguity
2010-04-15 @994
 
 Uli's 12:07 AM Law
2010-04-12 @881
 
 Uli's 1:24 AM Law
2010-04-12 @874
 
 Uli's 6:28 AM Law
2010-04-12 @869
 
 Uli's 3:57 PM Law
2010-04-12 @867
 

More...

FUD about resource forks on servers?

I just stumbled across this link claiming there were Security issues with Forks on web servers.

Basically, it talks about the special syntax that lets you view the HFS resource fork of a file from terminal by writing /path/to/file/..namedfork/rsrc, and the data fork by writing /path/to/file/..namedfork/data. Since that works by essentially treating the file as a folder containing two other files, resource and data fork, it may supposedly confuse Apache and other command-line tools, who won't notice that the forks are the same as the files...

Oddly enough, when I tried this on one of my Macs, it didn't work. When I specified only one dot, I got the same PHP file as when using the real URL, however PHP still triggered and executed the script. (the request URL was different, of course, but that's all) So, either Apple fixed this, or it's only a problem with other apps besides Apache ... or it's just FUD?

Can anyone confirm/deny either of that?

Update: Okay, David Steinbrunner just let me know that he remembers that Apple patched this hole about a month ago. So that's why it didn't work for me. I for one, welcome our new Security Software Update overlords...

 
Created: 2005-03-03 @062 Last change: 2005-03-03 @602 | Home | Admin | Edit
© Copyright 2003-2018 by M. Uli Kusterer, all rights reserved.