Apache vulnerability checking

From: Syzop (syzat_private)
Date: Sun Jun 23 2002 - 03:00:34 PDT

  • Next message: Filipe Jorge Marques de Almeida: "Re: Another flaw in Apache?"

    Hi,
    
    I've been checking sites for some time now with this
    attached prog (and mailing the webmasters), what it does is send a:
    --
    GET /checkapache.html HTTP/1.0
    Transfer-Encoding: chunked
    
    999999999;
    a
    0
    
    --
    request, and see what happends.
    Vulnerable apache: crashes, so connection is closed.
    Not vulnerable apache: sends something back
    IIS/some other things: waits for more data (?)
    
    Anyway, I thought that when I'm sure it's an apache server
    ("Server: Apache blabla") and it crashes then it must be vulnerable.
    Is this always the case?
    This morning I received a mail from some admin who I had mailed
    and he told me they had already upgraded.
    Full server version:
    "Server: Apache/1.3.24 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.8
     OpenSSL/0.9.6b mod_perl/1.26"
    
    So my question is: has redhat changed something in the bad-
    chunked-encoding-detected-behavior in their backport
    or did this guy just forget to restart apache?
    
    Btw, there are some other "major sites" which do also drop the
    connection but I couldn't see if they were running apache servers.
    www.tucows.com / www.geocities.com / www.yahoo.com / etc
    They do respond to "good" chunked encoding requests.
    Anyway I didn't mail them since it could be some weird http
    server behavior.
    
    Cya,
    
        Bram Matthys
    
    
    
    



    This archive was generated by hypermail 2b30 : Sun Jun 23 2002 - 08:53:50 PDT