Re: extra long URL attack

[sam () serve com (Sam Schlansky)]

This doesn't seem to work with Apache 1.1.1 on my Linux 2.0.27 box or NCSA
httpd 1.5.2 on Digital UNIX v3.2 41 alpha.

Maybe its just the apache SSL extensions somehow?

I tried using Netscape 3.01 both ELF and Win32, lynx 2.5 (linux), lynx 2.6
(Digital unix) and MS Internet Explorer on NT.

Sam

At 10:43 PM 1/10/97 -0800, strick -- henry strickland wrote:
> I don't know about CGI attacks, but this extra long URL to
> my site running
>        Server version Stronghold/1.3 Ben-SSL/1.3 Apache/1.1.1.
> will show you the raw contents of the top directory
> rather than the /index.html file (using Netscape Navigator 3.0 solaris
> for a browser).
>
> i've always wondered how safe it was to count on nobody seeing
> past your index.html -- now i know.  I wonder if some varient
> will get you the root directory of my entire filesystem instead
> of just the top directory of my web.  I knew I should have
> chrooted this stuff....
>
> szia, strick
--

// Sam Schlansky
// sam () serve com
// http://b52-90.datanet.nyu.edu/sam
// PGP Key ID: 0x63A9D707

PGP Public key available upon request and at webpage.