Apache vulnerability checking

[Syzop <syz () dds nl>]

Hi,

I've been checking sites for some time now with this
attached prog (and mailing the webmasters), what it does is send a:
--
GET /checkapache.html HTTP/1.0
Transfer-Encoding: chunked

999999999;
a
0

--
request, and see what happends.
Vulnerable apache: crashes, so connection is closed.
Not vulnerable apache: sends something back
IIS/some other things: waits for more data (?)

Anyway, I thought that when I'm sure it's an apache server
("Server: Apache blabla") and it crashes then it must be vulnerable.
Is this always the case?
This morning I received a mail from some admin who I had mailed
and he told me they had already upgraded.
Full server version:
"Server: Apache/1.3.24 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.8
 OpenSSL/0.9.6b mod_perl/1.26"

So my question is: has redhat changed something in the bad-
chunked-encoding-detected-behavior in their backport
or did this guy just forget to restart apache?

Btw, there are some other "major sites" which do also drop the
connection but I couldn't see if they were running apache servers.
www.tucows.com / www.geocities.com / www.yahoo.com / etc
They do respond to "good" chunked encoding requests.
Anyway I didn't mail them since it could be some weird http
server behavior.

Cya,

    Bram Matthys

Attachment: checkap.c
Description: