Return-Path: 
 <test-dev-return-507-apmail-httpd-test-dev-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-test-dev-archive@httpd.apache.org
Received: (qmail 15464 invoked by uid 500); 8 Nov 2001 22:53:11 -0000
Mailing-List: contact test-dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: test-dev@httpd.apache.org
list-help: <mailto:test-dev-help@httpd.apache.org>
list-unsubscribe: <mailto:test-dev-unsubscribe@httpd.apache.org>
list-post: <mailto:test-dev@httpd.apache.org>
Delivered-To: mailing list test-dev@httpd.apache.org
Received: (qmail 15451 invoked from network); 8 Nov 2001 22:53:10 -0000
X-Authentication-Warning: doom.sfo.covalent.net: john set sender to
 jsachs@covalent.net using -f
Date: Thu, 8 Nov 2001 14:51:49 -0800
From: john sachs <jsachs@covalent.net>
To: test-dev@httpd.apache.org
Subject: [franklin_tech_bulletins@yahoo.com: IBM AS/400 HTTP Server '/'
 attack]
Message-ID: <20011108145149.E137@doom.sfo.covalent.net>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="gatW/ieO32f1wygP"
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
X-Linux: http://zlilo.com/
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N

--gatW/ieO32f1wygP
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

hey.
after this was reported, i knew apache was not affected, but i thought id write
a quick test to add to the suite just to make sure it never got introduced.
anyway, in doing so, i noticed that 1.3 serves the page as you'd expect.  in
2.0, you get 404.  which is "correct"?  i kinda think 404 is correct.  if i add
a test to check for 404, this test will fail on 1.3.  what you guys think?
or is this problem so lame it will never show up in apache and we dont even need
to test for it?
-j


--gatW/ieO32f1wygP
Content-Type: message/rfc822
Content-Disposition: inline

Return-Path: <john@doom.sfo.covalent.net>
Received: (from john@localhost)
	by doom.sfo.covalent.net (8.10.2/8.10.2) id fA8IX0200745
	for john; Thu, 8 Nov 2001 10:33:00 -0800
Received: from mail.covalent.net [64.84.39.163]
	by localhost with POP3 (fetchmail-5.8.2)
	for john@localhost (single-drop); Thu, 08 Nov 2001 10:33:00 -0800 (PST)
Received: by mail (mbox jsachs)
 (with Cubic Circle's cucipop (v1.31 1998/05/13) Thu Nov  8 10:34:26 2001)
X-From_: bugtraq-return-2474-john=zlilo.com@securityfocus.com Thu Nov  8
 10:34:08 2001
Delivered-To: jsachs@covalent.net
Received: (qmail 19177 invoked from network); 8 Nov 2001 18:34:07 -0000
Received: from mips.zlilo.com (HELO zlilo.com) (209.228.7.170)
  by mail.covalent.net with SMTP; 8 Nov 2001 18:34:07 -0000
Received: from outgoing.securityfocus.com ([66.38.151.26])
	by zlilo.com (8.11.2/8.11.2) with ESMTP id fA8IY6j20563
	for <john@zlilo.com>; Thu, 8 Nov 2001 10:34:06 -0800
Received: from lists.securityfocus.com (lists.securityfocus.com
 [66.38.151.19])
	by outgoing.securityfocus.com (Postfix) with QMQP
	id B84178F292; Thu,  8 Nov 2001 11:26:06 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 29468 invoked from network); 8 Nov 2001 14:39:52 -0000
Message-ID: <3BEA999D.4070304@yahoo.com>
Date: Thu, 08 Nov 2001 09:41:33 -0500
From: "'ken'@FTU" <franklin_tech_bulletins@yahoo.com>
User-Agent: Mozilla/5.0 (X11; U; Linux 2.4.2-2 i686; en-US;
 rv:0.8.1+) Gecko/20010426
X-Accept-Language: en
MIME-Version: 1.0
To: bugtraq <bugtraq@securityfocus.com>
Subject: IBM AS/400 HTTP Server '/' attack
References: <LEEPKOFKPCPHJMIIKFGJEENLCBAA.smiler@vxd.org>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

   IBM's HTTP Server on the AS/400 platform is vulnerable to an attack
that will show the source code of the page -- such as an .html or .jsp
page -- by attaching an '/' to the end of a URL.

Compare these two URL's:

http://www.foo.com/getsource.jsp

http://www.foo.com/getsource.jsp/

The later URL will deliver the jsp source to the browser.

I reported this problem to IBM approximately 9 or 10 months ago.

I was told it was a bug but not a security vulnerability. When I
explained that Microsoft had a similar bug (asp dot bug) they told me
that "they did not share the same source code base." I replied to this
ludicrous reply: "Isn't it possible that since you developed servers
that function in a similar manner you have the same logical bug?" To
this they were speechless. I imagine that a .jsp page could contain user 
names and passwords if they are accessing databases, especially if these 
databases are on the network.

By the way, the IBM HTTP server was derived from an early version of
Apache. I have not seen Apache servers vulnerable to this bug.

Since I reported this "non-security" bug so long ago I hope it is fixed
through the regular set of changes. I cannot confirm this bug was fixed.
As far as I know this vulnerability was not yet reported to the public.

'ken'



--gatW/ieO32f1wygP--