Hi, I've been checking sites for some time now with this attached prog (and mailing the webmasters), what it does is send a: -- GET /checkapache.html HTTP/1.0 Transfer-Encoding: chunked 999999999; a 0 -- request, and see what happends. Vulnerable apache: crashes, so connection is closed. Not vulnerable apache: sends something back IIS/some other things: waits for more data (?) Anyway, I thought that when I'm sure it's an apache server ("Server: Apache blabla") and it crashes then it must be vulnerable. Is this always the case? This morning I received a mail from some admin who I had mailed and he told me they had already upgraded. Full server version: "Server: Apache/1.3.24 (Unix) (Red-Hat/Linux) mod_ssl/2.8.8 OpenSSL/0.9.6b mod_perl/1.26" So my question is: has redhat changed something in the bad- chunked-encoding-detected-behavior in their backport or did this guy just forget to restart apache? Btw, there are some other "major sites" which do also drop the connection but I couldn't see if they were running apache servers. www.tucows.com / www.geocities.com / www.yahoo.com / etc They do respond to "good" chunked encoding requests. Anyway I didn't mail them since it could be some weird http server behavior. Cya, Bram Matthys
This archive was generated by hypermail 2b30 : Sun Jun 23 2002 - 08:53:50 PDT