httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Laurie <>
Subject Re: security hole. bluff?
Date Mon, 22 Apr 1996 18:19:08 GMT
Brian Behlendorf wrote:
> On Mon, 22 Apr 1996, Tom Tromey wrote:
> > Rob> has anyone yet seen an example of how to exploit the recent
> > Rob> security "hole"?
> > 
> > I saw a note on comp.infosystems.www.servers.unix that indicated that
> > there was no way to exploit the hole.  The message said that the
> > reason \n should be escaped is for poorly-written CGIs.  The author
> > said he had talked to the originator of the report...
> > 
> > I have no idea if this bears any relation to reality.
> The gentleman whose message I responded to, bcc'ing the list, came back 
> and said "I don't have to prove anything to you, if you just read 
> you're way out of the loop, this hole has compromised 
> some of the biggest sites on the net".  I asked him to put up or shut up, 
> and he has yet to come back.  

I should add that the Apache Group's response was the correct one, whether the
security hole really exists or not. It clearly did not damage the code, it
clearly could possibly somehow cause a hole and in the absence of time for
contemplation we fixed it. We might like to consider removing the fix if
further analysis shows it is not a hole.



> 	Brian
> --=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
>  |  We're hiring!

Ben Laurie                  Phone: +44 (181) 994 6435
Freelance Consultant and    Fax:   +44 (181) 994 6472
Technical Director          Email:
A.L. Digital Ltd,           URL:
London, England.

View raw message