httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <>
Subject Re: 1.3.12...
Date Sun, 06 Feb 2000 00:24:39 GMT
On Sat, 5 Feb 2000, Ralf S. Engelschall wrote:

> In article <> you wrote:
> > IMO we need to get 1.3.12 out and out soon.
> > [...]
> +1

Unfortunately, that doesn't fit with the idea of committing lots of

Personally, I wonder if some feedback from actual users on a number of
things first wouldn't be good.  But few people get the problem yet.  I'm
pretty sure they will this coming week, as people publish ways to steal
accounts from places like (including hotmail),
(including yahoo mail), amazon, etc.  It isn't even a matter of people
having to really discover anything to do so, just understand the issue.  
Once you do, finding such ways to exploit the hole is trivial.  Once that
happens, I think a lot more people will care.  So, the argument is you
should get it out before then or wait until after then.  Whichever.

We also need to figure out what to do WRT all the modules that set a MIME
type of text/html for various things without a charset.

There are also a bunch of places where the existing docs on the issue
could be made clearer with more than a long night to write them.  But I'm
too worn out right now, plus other unrelated issues keep popping up.

I am also amazed at the lack of response from other vendors.  Netscape put
out a note about Netscape Enterprise server saying it wasn't vulnerable.  
Unfortunately it is.  Not much else out there, despite the fact that IIS5,
WebSite Pro, Roxen, Zeus and thttpd are all vulnerable in their default
configs AFAIK.  All of those don't even encode URLs output on their error
pages, which Apache has done for a long time.

View raw message