Bugtraq mailing list archives
extra long URL attack
From: strick () versant com (strick -- henry strickland)
Date: Fri, 10 Jan 1997 22:43:10 -0800
I don't know about CGI attacks, but this extra long URL to my site running Server version Stronghold/1.3 Ben-SSL/1.3 Apache/1.1.1. will show you the raw contents of the top directory rather than the /index.html file (using Netscape Navigator 3.0 solaris for a browser). i've always wondered how safe it was to count on nobody seeing past your index.html -- now i know. I wonder if some varient will get you the root directory of my entire filesystem instead of just the top directory of my web. I knew I should have chrooted this stuff.... szia, strick begin 644 xyz.html.gz M'XL("(<RUS("`WAY>BYH=&UL`.W:00J#,!2$X7U.D1.\MR_6NZ3V21Z&6&R@ M>'M=B!0\0<O_S6)N,*L9YU+F3VS9W]'KL-C3'\5BZ%+,BXWWW-KKIFK5TR!K MFJ1:4SFB(GK)60#^W[D&````````````````````P`_X.L'WH7B=.DV]A-T& (-S/()ETO``#) ` end
Current thread:
- not so false alarm: query cgi problem Apropos of Nothing (Jan 10)
- Re: not so false alarm: query cgi problem M Lyons (Jan 10)
- extra long URL attack strick -- henry strickland (Jan 10)
- Re: extra long URL attack John Robert LoVerso (Jan 11)
- Re: extra long URL attack Jyri Kaljundi (Jan 11)
- Re: extra long URL attack M Shariful Anam (Jan 11)
- Re: extra long URL attack Marc Slemko (Jan 11)
- Security release: Apache 1.1.2 Brian Behlendorf (Jan 12)
- Apache 1.1.1 overflow David Sacerdote (Jan 12)
- AIX for PowerPC exploit Georgi Guninski (Jan 12)