> * How can someone issue a "Host:" tag after the "GET ... HTTP/1.0" > line, if the evil buffer will get apache to process the request. > > As for your question on how Host can be delivered.. you are > not exploiting > the apache daemon, you are exploiting the script it calls. > So the apache is > processing everything fine, it is after that when apache > calls apon the cgi > that things go wrong. Nothing (or very very little) to do > with how apache > handles things. I suspect what's going on here is that part of the exploit code in the URI is actually a carriage return. Therefore apache is seeing GET <first_bit_of_exploit_code_here>\r\n <last_bit_of_exploit_code> HTTP/1.0 As the first line doesn't contains the HTTP version it assumes that it's HTTP/0.9 and so processes the request immediately. You need to pass a host header if you are attacking a web site on a shared server using name based virtual hosts which is why this is a problem (and the fact that all your exploit code won't be reaching the CGI ;)) Stuart
This archive was generated by hypermail 2b30 : Thu Jun 06 2002 - 14:21:00 PDT