Full Disclosure mailing list archives
Re: Apache Killer
From: "HI-TECH ." <isowarez.isowarez.isowarez () googlemail com>
Date: Thu, 25 Aug 2011 07:34:13 +0200
Yeah you are correct. It does not really matter. It's just a DoS things should move on. I do that for fun, seeing things break, not more not less, the hype on the media right now makes no difference, but I must admit listening to Johannes Ullrich in the daily stormcast reporting about the postings is quite fun. 2011/8/25 Michal Zalewski <lcamtuf () coredump cx>:
just for the record I have the impression that this not the same vulnerability you outlined in your advisory a while back. It is more that the idea for this vulnerability originated from your advisory, not the same bug.I don't think this even matters, and I really don't disagree... In 2007, I noticed that their Range handling is silly, and may prompt them to generate very large responses. I casually proposed a window scaling-based attack back then, and nothing happened. My understanding is that your exploit is based on the same principle (I don't think they fixed this in any way), but combines it with protocol-level compression to force the server to waste some memory and CPU resources to compress the response beforehand. But in any case, life goes on, it's just a DoS. Good that they're fixing it... /mz
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Apache Killer, (continued)
- Re: Apache Killer nix (Aug 23)
- Re: Apache Killer -= Glowing Sex =- (Aug 23)
- Message not available
- Message not available
- Re: Apache Killer -= Glowing Sex =- (Aug 23)
- Re: Apache Killer HI-TECH . (Aug 22)
- Re: Apache Killer Michal Zalewski (Aug 23)
- Re: Apache Killer -= Glowing Sex =- (Aug 23)
- Re: Apache Killer HI-TECH . (Aug 24)
- Re: Apache Killer HI-TECH . (Aug 24)
- Re: Apache Killer Michal Zalewski (Aug 24)
- Re: Apache Killer HI-TECH . (Aug 24)
- Re: Apache Killer Dirk-Willem van Gulik (Aug 25)