Yes, that version is vulnerable to at least the directory indexing bug. I have encountered the same setup in the field and successfully used the vulnerability to get a listing of files in the web root and subdirectories. Attached is the script I used, its pretty rough but does the trick. The actual securityfocus bid is 1284. The "exploit" of mine they have listed on that BID has a typo and I have been ignored everytime I tried to post a fixed version. I guess Elias was too busy rejecting all the crap that people post to bugtraq ;) AFAIK, IBM hasn't release a fix, and the Apache folks fixed it a long time ago but still consider thier Win32 version on-production quality. -HD On Wednesday 13 June 2001 12:12 pm, Paul Rogers wrote: > One of our client's are utilising IBM's HTTP server and Websphere to host > their website and web applications. The IBM HTTP server utilises Apache to > serve web content to users (the version in question is 1.3.12 for Win32). > My query is related to the vulnerabilities associated with the Win32 > version of the Apache webserver. Can the vulnerabilites associated with > 1.3.12 Win32 version of Apache be used on an IBM HTTP server; or have IBM > modified the Apache source in anyway to protect against these issues? > > Just a thought since there don't seem to be any upgrades to later versions > of Apache Win32 from IBM as yet, although version 1.3.14 is planned for the > next release.
This archive was generated by hypermail 2b30 : Wed Jun 13 2001 - 22:41:25 PDT