httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <ad...@rowe-clan.net>
Subject Re: Bugtraq ID 2503 : Apache Artificially Long Slash Path Directory Listing Exploit (fwd)
Date Wed, 13 Jun 2001 23:16:12 GMT
> Date: Wed, 13 Jun 2001 02:44:35 -0500
> From: Matt Watchinski <matt@farm9.com>
> To: bugtraq@securityfocus.com
> Subject: Bugtraq ID 2503 : Apache Artificially Long Slash Path Directory
>     Listing  Exploit
> 
> #!/usr/bin/perl
> #
> # farm9, Inc. (copyright 2001)
> #
> # Name: Apache Artificially Long Slash Path Directory Listing Exploit
> # Author: Matt Watchinski
> # Ref: SecurityFocus BID 2503
> #
> # Affects: Apache 1.3.17 and below
> # Tested on: Apache 1.3.12 running on Debian 2.2

As Mark points out, this is no longer an issue, and on Win32, it wasn't tripped
until you get to about 8180 characters.  On pre-1.3.14, you needed a special character
in the path to trip it on Win32.  Any which way, we are at 1.3.20 with no reoccurance 
on any platform, for any reason.

The patch I've been hacking to 2.0's directory walk+path info code already handles
the 'error condition' v.s. the 'not found' condition properly.  Feel free to try
proving me wrong once it's committed.

Bill


Mime
View raw message