httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Douglass <>
Subject extra long URL attack (fwd)
Date Sat, 11 Jan 1997 18:18:08 GMT
I tested this on 1.1.1 and it does, in fact, work.  The only question is
what else (besides getting an index of /) can this be used for.  I checked
to make sure you weren't already discussing this and only found the talk
about the mod_cookie.c bug; unless I missed this one somewhere.

(Just making sure ya'll don't miss one)

Michael Douglass
Texas Networking, Inc.

 "The past is a foreign country; they do things differently there."
      L. P. Hartley, British author. The Go-Between, Prologue (1953).

---------- Forwarded message ----------
Date: Fri, 10 Jan 1997 22:43:10 -0800
From: strick -- henry strickland <>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
Subject: extra long URL attack

I don't know about CGI attacks, but this extra long URL to
my site running
        Server version Stronghold/1.3 Ben-SSL/1.3 Apache/1.1.1.
will show you the raw contents of the top directory
rather than the /index.html file (using Netscape Navigator 3.0 solaris
for a browser).

i've always wondered how safe it was to count on nobody seeing
past your index.html -- now i know.  I wonder if some varient
will get you the root directory of my entire filesystem instead
of just the top directory of my web.  I knew I should have
chrooted this stuff....

szia, strick

begin 644 xyz.html.gz

View raw message