Re: Problems in Apache 1.3.22

[zeno <bugtraq () cgisecurity net>]

> Hackemate Labs - Advisory
> http://hackemate.com.ar research

Old problem. Its not a bug its a security fix. Versions below 1.3.20 have a long slash path disclosure
bug. Patched versions show 403 forbidden errors.

This is known and not a bug.

- zeno () cgisecurity com


> This test was done in an Apache 1.3.22 with PHP/4.0.6
> Installed in Windows 98 Second Edition:
>
> When you make the next request, it takes you to the
> index of the site, the main page, as if you hadn?t put
> the bars. This request has 232 bars
>
> http://127.0.0.1////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
>
> OK
>
> But if you make a request with 233 bars it shows you the
> Forbidden messsage. Here is the request with 233 bars.
>
> http://127.0.0.1/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
>
> And the result:
>
> Forbidden
> You don't have permission to access 
> /////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
>  on this server.
>
>
> --------------------------------------------------------------------------------
>
> Apache/1.3.22 Server at localhost Port 80
>
>
> *****
> Making this test I also realised that Internet Explorer doesn?t let
> you put an adress of more than 2047 characters in the URL bar
>
>
> Kerozene 1999-2002 c0oL!
> kerozene () hackemate com ar
> www.hackemate.com.ar