httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <ma...@znep.com>
Subject Re: Misleading directions
Date Fri, 24 Jan 1997 08:46:21 GMT
No, the cookie buffer overflow is the one that is arguably not a problem
in 1.2b4 because it is allocated on the heap, not the stack.  This means
you can't use the standard trick of overwriting the (saved) program
counter, etc. to gain control.  It doesn't necessarily mean it is
unexploitable, but it is generally far far harder.

The mod_dir problem is in 1.2b4.

On Fri, 24 Jan 1997, Brian Behlendorf wrote: 

> On Thu, 23 Jan 1997, Ben Laurie wrote:
> > The front page on www.apache.org suggests upgrading to a 1.2 beta to fix the
> > recent holes. Snag is 1.2b4 still allows the multiple slash hole...
> 
> I thought it was not a problem in 1.2b4?
> 
> 	Brian
> 
> --=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
> brian@organic.com  www.apache.org  hyperreal.com  http://www.organic.com/JOBS
> 


Mime
View raw message