Your understood is correct. Your patch would solve the problem correctly ! Ivan Hernandez Bob at firstcodings wrote: > Hi members, > >I think no patch has been released at this day.... so, I wrote one myself >using ISAPI filters. >As I understood RFCs, a hit generated by a "GET" method, does not need the >"Content-Length:" header. If this is true, I think my filter is correct. > >The page is http://bob.firstcodings.com/programs/dropcontentlengthget/ >(source code is included). For now, please consider this filter as "beta >release". >I installed this filter on a production server which has an average load : >after 2 days and at this point, all is fine. Above all, exploit described in >bid 3667 does not work anymore. > >Thanks to email me at "dropContentLengthGetat_private" for any >comments/feedbacks/suggestions about this filter. > > >Bob - firstcodings. >P.S : my english may not be correct, sorry :) > >
This archive was generated by hypermail 2b30 : Wed Mar 06 2002 - 13:25:17 PST