> > Hackemate Labs - Advisory > http://hackemate.com.ar research Old problem. Its not a bug its a security fix. Versions below 1.3.20 have a long slash path disclosure bug. Patched versions show 403 forbidden errors. This is known and not a bug. - zenoat_private > > > This test was done in an Apache 1.3.22 with PHP/4.0.6 > Installed in Windows 98 Second Edition: > > When you make the next request, it takes you to the > index of the site, the main page, as if you hadnīt put > the bars. This request has 232 bars > > http://127.0.0.1//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// > > OK > > But if you make a request with 233 bars it shows you the > Forbidden messsage. Here is the request with 233 bars. > > http://127.0.0.1///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// > > And the result: > > Forbidden > You don't have permission to access ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// on this server. > > > -------------------------------------------------------------------------------- > > Apache/1.3.22 Server at localhost Port 80 > > > ***** > Making this test I also realised that Internet Explorer doesnīt let > you put an adress of more than 2047 characters in the URL bar > > > Kerozene 1999-2002 c0oL! > kerozeneat_private > www.hackemate.com.ar > > >
This archive was generated by hypermail 2b30 : Fri Mar 08 2002 - 04:09:58 PST