Vulnerability Development mailing list archives

Re: Problems in Apache 1.3.22

From: Kerberus <kerberus () microbsd net>
Date: 07 Mar 2002 17:05:53 -0500

Advisory for what ?? Doesnt do anything on my box but server the
requested page http://127.0.0.1/ looks to me like it ignores the rest

FreeBSD dunno.somehost.com 4.5-STABLE FreeBSD 4.5-STABLE #13: Fri Feb 22
17:06:28 EST 2002  root () dunno somehost com:/usr/obj/usr/src/sys/LOCKED 
i386

httpd -v
Server version: Apache/1.3.23 (Unix)
Server built:   Jan 28 2002 13:10:29

httpd -V
Server version: Apache/1.3.23 (Unix)
Server built:   Jan 28 2002 13:10:29
Server's Module Magic Number: 19990320:11
Server compiled with....
 -D HAVE_MMAP
 -D USE_MMAP_SCOREBOARD
 -D USE_MMAP_FILES
 -D HAVE_FLOCK_SERIALIZED_ACCEPT
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D SO_ACCEPTFILTER
 -D ACCEPT_FILTER_NAME="httpready"
 -D HTTPD_ROOT="/usr/local"
 -D SUEXEC_BIN="/usr/local/sbin/suexec"
 -D DEFAULT_PIDLOG="/var/run/httpd.pid"
 -D DEFAULT_SCOREBOARD="/var/run/httpd.scoreboard"
 -D DEFAULT_LOCKFILE="/var/run/httpd.lock"
 -D DEFAULT_XFERLOG="/var/log/httpd-access.log"
 -D DEFAULT_ERRORLOG="/var/log/httpd-error.log"
 -D TYPES_CONFIG_FILE="etc/apache/mime.types"
 -D SERVER_CONFIG_FILE="etc/apache/httpd.conf"
 -D ACCESS_CONFIG_FILE="etc/apache/access.conf"
 -D RESOURCE_CONFIG_FILE="etc/apache/srm.conf"


On Thu, 2002-03-07 at 13:20, Kerozene wrote:

Hackemate Labs - Advisory
http://hackemate.com.ar research


This test was done in an Apache 1.3.22 with PHP/4.0.6
Installed in Windows 98 Second Edition:

When you make the next request, it takes you to the
index of the site, the main page, as if you hadn´t put
the bars. This request has 232 bars

http://127.0.0.1////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

OK

But if you make a request with 233 bars it shows you the
Forbidden messsage. Here is the request with 233 bars.

http://127.0.0.1/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

And the result:

Forbidden
You don't have permission to access 
/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
 on this server.


--------------------------------------------------------------------------------

Apache/1.3.22 Server at localhost Port 80


*****
Making this test I also realised that Internet Explorer doesn´t let
you put an adress of more than 2047 characters in the URL bar


Kerozene 1999-2002 c0oL!
kerozene () hackemate com ar
www.hackemate.com.ar

Current thread:

Problems in Apache 1.3.22 Kerozene (Mar 07)
- Re: Problems in Apache 1.3.22 Erik Parker (Mar 07)
- Re: Problems in Apache 1.3.22 Kerberus (Mar 07)
- <Possible follow-ups>
- Re: Problems in Apache 1.3.22 zeno (Mar 08)
- Re: Problems in Apache 1.3.22 Wodahs Latigid (Mar 08)