httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Plüm, Rüdiger, VF-Group" <ruediger.pl...@vodafone.com>
Subject RE: svn commit: r790589 - /httpd/test/framework/trunk/t/security/CVE-2009-1890.t
Date Thu, 09 Jul 2009 13:52:34 GMT
 

> -----Original Message-----
> From: Dan Poirier [mailto:poirier@pobox.com] 
> Sent: Donnerstag, 9. Juli 2009 15:48
> To: dev@httpd.apache.org
> Subject: Re: svn commit: r790589 - 
> /httpd/test/framework/trunk/t/security/CVE-2009-1890.t
> 
> "Plüm, Rüdiger, VF-Group" <ruediger.pluem@vodafone.com> writes:
> >> -----Original Message-----
> >> From: Dan Poirier 
> >> Sent: Donnerstag, 9. Juli 2009 15:10
> >> To: dev@httpd.apache.org
> >> Subject: Re: svn commit: r790589 - 
> >> /httpd/test/framework/trunk/t/security/CVE-2009-1890.t
> >> 
> >> The test doesn't seem to do what the vulnerability 
> description talks
> >> about.  The vulnerability talks about sending additional data after
> >> sending Content-length bytes of request body, where this 
> test sends a
> >> request body of the right length, just in two parts with a pause in
> >> between.
> >
> > It adds a leading '0' to the content-length header causing 
> the old code
> > to interpret the content-length as being an octal number.
> > Interpreting the content-length as octal results in a much 
> lower content length
> > as if it was interpreted as a decimal number.
> 
> So if the content-length was parsed correctly, but the vulnerability
> related to additional data wasn't fixed, this test would still pass?
> (Since then we're not sending any more data than expected?)

IMHO correct.

Regards

Rüdiger

Mime
View raw message