Bugtraq mailing list archives
Re: extra long URL attack
From: sam () serve com (Sam Schlansky)
Date: Sat, 11 Jan 1997 12:27:01 -0500
This doesn't seem to work with Apache 1.1.1 on my Linux 2.0.27 box or NCSA httpd 1.5.2 on Digital UNIX v3.2 41 alpha. Maybe its just the apache SSL extensions somehow? I tried using Netscape 3.01 both ELF and Win32, lynx 2.5 (linux), lynx 2.6 (Digital unix) and MS Internet Explorer on NT. Sam At 10:43 PM 1/10/97 -0800, strick -- henry strickland wrote:
I don't know about CGI attacks, but this extra long URL to my site running Server version Stronghold/1.3 Ben-SSL/1.3 Apache/1.1.1. will show you the raw contents of the top directory rather than the /index.html file (using Netscape Navigator 3.0 solaris for a browser). i've always wondered how safe it was to count on nobody seeing past your index.html -- now i know. I wonder if some varient will get you the root directory of my entire filesystem instead of just the top directory of my web. I knew I should have chrooted this stuff.... szia, strick
-- // Sam Schlansky // sam () serve com // http://b52-90.datanet.nyu.edu/sam // PGP Key ID: 0x63A9D707 PGP Public key available upon request and at webpage.
Current thread:
- Re: extra long URL attack Sam Schlansky (Jan 11)