httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew Braund" <abra...@mail.com>
Subject RE: IBM HTTP SERVER / APACHE (fwd)
Date Fri, 02 Jun 2000 01:51:59 GMT
I have just tried this on Apache 1.3.12 (with patched proxy), NT4 SP6a running
on my small local network.

My index.html page is a simple one with a some text at the top then three .gif
images at the bottom.

If I try
http://192.168.0.60/ I get the page, all looks normal.
http://192.168.0.60/ plus 190 - 212 '/' characters; all looks normal.
http://192.168.0.60/ plus 213 - 227 '/' characters; the page shows image 2 as
broken.
http://192.168.0.60/ plus 228 - 250 '/' characters; the page shows image 1&2 as
broken.
http://192.168.0.60/ plus 251 '/' characters you get a directory listing.
http://192.168.0.60/ plus 252+ '/' characters you get
Forbidden You don't have permission to access "/" x 252 on this server.

I tried all this again on Win98 (first release) and got exactly the same
results.

Regards
Andrew Braund

> -----Original Message-----
> From: Marc Slemko [mailto:marcs@znep.com]
> Sent: Friday, 2 June 2000 9:54
> To: security@apache.org; TLOSAP
> Subject: Re: IBM HTTP SERVER / APACHE (fwd)
>
>
> So is anyone investigating this and fixing and/or following up to bugtraq?
>
> I can not, especially because my stupid lame-ass thinkpad that functions
> as my windows box just choked on itself and now doesn't work unless I open
> it up and bend the dc/dc board the right way.  Makes it a bit hard to
> type.  <g> But the unibody-like construction of them is pretty
> interesting.  Until it breaks.  Grr.  Guess that is what you get for
> buying a thin and light laptop.
>
> Anyway, it would be really great if someone could look into this and
> create a response and/or fix.  If no one can, then I suppose I can send a
> message to bugtraq saying "yea, looks like there is some bug on
> windows."  But I don't even know what versions (or if it is all
> versions) are impacted.
>
> On Wed, 31 May 2000, Marc Slemko wrote:
>
> > FYI.
> >
> > It may or may not apply to Apache itself on Win32, and may or may not be
> > fixed in current versions.  What is happening here is almost certainly
> > that it tries to look for index.html, etc. and the error code isn't
> > properly interpreted to mean "that is too long, so bail".
> >
> > ---------- Forwarded message ----------
> > Date: Wed, 31 May 2000 18:34:30 -0000
> > From: Marek Roy <marek_roy@HOTMAIL.COM>
> > To: BUGTRAQ@SECURITYFOCUS.COM
> > Subject: IBM HTTP SERVER / APACHE
> >
> > I haven't seen any advisories for IBM HTTP SERVER running
> > Apache.
> >
> > There is a crucial number of "/" (forward slash) you can
> > use to retrieve the contents of the root directory of this
> > particular Web Server.  Using this vulnerability, you can
> > retrieve any files or scripts running from that directory
> > and sub-directories.
> >
> > The number of "/" used to reproduce this can be different
> > from one server to another.  I don't have enough time to do
> > more testing.  However, feel free to add some more info to
> > this quick advisory.
> >
> > You can get a trial copy at:
> >
> > http://www-
> > 4.ibm.com/software/webservers/httpservers/download.html#v136
> >
> > ====
> >
> > Vulnerable:
> > Server: IBM_HTTP_Server/1.3.6.2 Apache/1.3.7-dev (Win32)
> >
> > Not Vulnerable:
> > Server: IBM_HTTP_Server/1.3.6.2 Apache/1.3.7-dev (Unix)
> >
> > ====
> >
> > If you send a GET request of 210 "/", you get:
> > The actual Web Page.
> > ----
> > If you send a GET request of 211 "/", you get:
> > Index of /
> > -----
> > If you send a GET request of 212 "/", you get:
> >
> > Forbidden
> > You don't have permission to access
> > "/" x 212 on this server.
> >
> >
> > Marek Roy
> >
> >
>
>


Mime
View raw message