Uli's Web Site
[ Zathras.de - Uli's Web Site ]
Other Sites: Stories
Abi 2000
Stargate: Resurgence
Lost? Site Map!
     home | blog | moose | programming | articles >> blog

 Blog Topics

15 Most Recent [RSS]

 Less work through Xcode and shell scripts
2011-12-16 @600
 iTunesCantComplain released
2011-10-28 @954
 Dennis Ritchie deceased
2011-10-13 @359
 Thank you, Steve.
2011-10-06 @374
 Cocoa Text System everywhere...
2011-03-27 @788
 Blog migration
2011-01-29 @520
 All you need to know about the Mac keyboard
2010-08-09 @488
 Review: Sherlock
2010-07-31 @978
 Playing with Objective C on Debian
2010-05-08 @456
 Fruit vs. Obst
2010-05-08 @439
 Mixed-language ambiguity
2010-04-15 @994
 Uli's 12:07 AM Law
2010-04-12 @881
 Uli's 1:24 AM Law
2010-04-12 @874
 Uli's 6:28 AM Law
2010-04-12 @869
 Uli's 3:57 PM Law
2010-04-12 @867


FUD about resource forks on servers?

I just stumbled across this link claiming there were Security issues with Forks on web servers.

Basically, it talks about the special syntax that lets you view the HFS resource fork of a file from terminal by writing /path/to/file/..namedfork/rsrc, and the data fork by writing /path/to/file/..namedfork/data. Since that works by essentially treating the file as a folder containing two other files, resource and data fork, it may supposedly confuse Apache and other command-line tools, who won't notice that the forks are the same as the files...

Oddly enough, when I tried this on one of my Macs, it didn't work. When I specified only one dot, I got the same PHP file as when using the real URL, however PHP still triggered and executed the script. (the request URL was different, of course, but that's all) So, either Apple fixed this, or it's only a problem with other apps besides Apache ... or it's just FUD?

Can anyone confirm/deny either of that?

Update: Okay, David Steinbrunner just let me know that he remembers that Apple patched this hole about a month ago. So that's why it didn't work for me. I for one, welcome our new Security Software Update overlords...

Created: 2005-03-03 @062 Last change: 2005-03-03 @602 | Home | Admin | Edit
© Copyright 2003-2018 by M. Uli Kusterer, all rights reserved.