RE: Apache Artificially Long Slash Path Directory Listing Vulnerability -- FILE READ ACCESS

["Chip McClure" <vhm3 () hades dnsalias net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I've tested it unsucessfully on the following platforms:

Apache 1.3.12 & 1.3.14 on Solaris 2.6
Apache 1.3.12 & 1.3.16 on Linux (RedHat 6.2)
Apache 1.3.16 on RedHat 7.1
Apache 1.3.19 on FreeBSD 4.2 & 4.3

No matter how many slashes I append to the string, I still come up
with the correct page. My guess, is that is an Apache / NT thing.

Chip

- -----Original Message-----
From: Brian Dinello [mailto:brian.dinello () vigilantminds com]
Sent: Friday, July 27, 2001 3:12 PM
To: 'Moorjani uday'; 'bugtraq () securityfocus com'
Subject: RE: Apache Artificially Long Slash Path Directory Listing
Vulnerability -- FILE READ ACCESS




As we don't have access to all versions of Apache on all platforms, I
can't
say for certain that this will work on all of them.  The version that
we
have successfully tested on with 100% consistency is Apache 1.3.12 on
NT4.  

Please let me know if you duplicate this success on any other
platforms.

Brian


-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.8

iQA/AwUBO2Hu84xq/3tb9j7EEQKnUACcDV64aBwjumYip/FSyMnz+57rX+UAn3R1
f+TwY+lgwn3sKPYw3Thyj0RD
=98Xb
-----END PGP SIGNATURE-----