RE: Apache vulnerability checking

From: Elan Hasson (elanat_private)
Date: Sun Jun 23 2002 - 23:24:31 PDT

  • Next message: D.C. van Moolenbroek: "Re: spying (deleted) file entries in other users' directories"

    yahoo runs a private version of apache.
    
    Geocities is owned by yahoo. so i assume the same.
    
    
    -----Original Message-----
    From: Syzop [mailto:syzat_private]
    Sent: Sunday, June 23, 2002 6:01 AM
    To: vuln-devat_private
    Subject: Apache vulnerability checking
    
    
    Hi,
    
    I've been checking sites for some time now with this
    attached prog (and mailing the webmasters), what it does is send a:
    --
    GET /checkapache.html HTTP/1.0
    Transfer-Encoding: chunked
    
    999999999;
    a
    0
    
    --
    request, and see what happends.
    Vulnerable apache: crashes, so connection is closed.
    Not vulnerable apache: sends something back
    IIS/some other things: waits for more data (?)
    
    Anyway, I thought that when I'm sure it's an apache server
    ("Server: Apache blabla") and it crashes then it must be vulnerable.
    Is this always the case?
    This morning I received a mail from some admin who I had mailed
    and he told me they had already upgraded.
    Full server version:
    "Server: Apache/1.3.24 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.8
     OpenSSL/0.9.6b mod_perl/1.26"
    
    So my question is: has redhat changed something in the bad-
    chunked-encoding-detected-behavior in their backport
    or did this guy just forget to restart apache?
    
    Btw, there are some other "major sites" which do also drop the
    connection but I couldn't see if they were running apache servers.
    www.tucows.com / www.geocities.com / www.yahoo.com / etc
    They do respond to "good" chunked encoding requests.
    Anyway I didn't mail them since it could be some weird http
    server behavior.
    
    Cya,
    
        Bram Matthys
    



    This archive was generated by hypermail 2b30 : Mon Jun 24 2002 - 20:37:13 PDT