Vulnerability Development mailing list archives
Re: Problems in Apache 1.3.22
From: zeno <bugtraq () cgisecurity net>
Date: Thu, 7 Mar 2002 15:51:49 -0500 (EST)
Hackemate Labs - Advisory http://hackemate.com.ar research
Old problem. Its not a bug its a security fix. Versions below 1.3.20 have a long slash path disclosure bug. Patched versions show 403 forbidden errors. This is known and not a bug. - zeno () cgisecurity com
This test was done in an Apache 1.3.22 with PHP/4.0.6 Installed in Windows 98 Second Edition: When you make the next request, it takes you to the index of the site, the main page, as if you hadn?t put the bars. This request has 232 bars http://127.0.0.1//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// OK But if you make a request with 233 bars it shows you the Forbidden messsage. Here is the request with 233 bars. http://127.0.0.1///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// And the result: Forbidden You don't have permission to access ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// on this server. -------------------------------------------------------------------------------- Apache/1.3.22 Server at localhost Port 80 ***** Making this test I also realised that Internet Explorer doesn?t let you put an adress of more than 2047 characters in the URL bar Kerozene 1999-2002 c0oL! kerozene () hackemate com ar www.hackemate.com.ar
Current thread:
- Problems in Apache 1.3.22 Kerozene (Mar 07)
- Re: Problems in Apache 1.3.22 Erik Parker (Mar 07)
- Re: Problems in Apache 1.3.22 Kerberus (Mar 07)
- <Possible follow-ups>
- Re: Problems in Apache 1.3.22 zeno (Mar 08)
- Re: Problems in Apache 1.3.22 Wodahs Latigid (Mar 08)