Hi,
I've been checking sites for some time now with this
attached prog (and mailing the webmasters), what it does is send a:
--
GET /checkapache.html HTTP/1.0
Transfer-Encoding: chunked
999999999;
a
0
--
request, and see what happends.
Vulnerable apache: crashes, so connection is closed.
Not vulnerable apache: sends something back
IIS/some other things: waits for more data (?)
Anyway, I thought that when I'm sure it's an apache server
("Server: Apache blabla") and it crashes then it must be vulnerable.
Is this always the case?
This morning I received a mail from some admin who I had mailed
and he told me they had already upgraded.
Full server version:
"Server: Apache/1.3.24 (Unix) (Red-Hat/Linux) mod_ssl/2.8.8
OpenSSL/0.9.6b mod_perl/1.26"
So my question is: has redhat changed something in the bad-
chunked-encoding-detected-behavior in their backport
or did this guy just forget to restart apache?
Btw, there are some other "major sites" which do also drop the
connection but I couldn't see if they were running apache servers.
www.tucows.com / www.geocities.com / www.yahoo.com / etc
They do respond to "good" chunked encoding requests.
Anyway I didn't mail them since it could be some weird http
server behavior.
Cya,
Bram Matthys
This archive was generated by hypermail 2b30 : Sun Jun 23 2002 - 08:53:50 PDT