Full Disclosure mailing list archives
Re: IPS Evasion with the Apache HTTP Server
From: coderman <coderman () gmail com>
Date: Tue, 19 Jun 2007 14:54:28 -0700
On 6/19/07, Valdis.Kletnieks () vt edu <Valdis.Kletnieks () vt edu> wrote:
... I'm tempted to take that bet. Lot of people have thrown lots of truly wild stuff at the Apache code over the years - it may react in *unexpected* ways, but it's probably pretty bulletproof.
agreed.
On the other hand, that little webserver admin tool that's stuffed into one corner of your DSL modem's ROM probably got tested ... with little to no serious abuse of the interface.
absolutely. i didn't mean to imply that embedded and lightweight webservers were more robust, they surely aren't. only that they would be much less likely to interpret arbitrary unprintable characters in a request as valid. in particular, buffer overflows are not uncommon for embedded devices, like those who don't expect a request URL to exceed 1024 characters, etc... _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- IPS Evasion with the Apache HTTP Server H D Moore (Jun 19)
- Re: IPS Evasion with the Apache HTTP Server coderman (Jun 19)
- Re: IPS Evasion with the Apache HTTP Server Valdis . Kletnieks (Jun 19)
- Re: IPS Evasion with the Apache HTTP Server coderman (Jun 19)
- Re: IPS Evasion with the Apache HTTP Server Valdis . Kletnieks (Jun 19)
- Re: IPS Evasion with the Apache HTTP Server 3APA3A (Jun 20)
- Re: IPS Evasion with the Apache HTTP Server Jamie Riden (Jun 20)
- Re: IPS Evasion with the Apache HTTP Server 3APA3A (Jun 20)
- Re: IPS Evasion with the Apache HTTP Server H D Moore (Jun 20)
- Re: IPS Evasion with the Apache HTTP Server H D Moore (Jun 20)
- Re: IPS Evasion with the Apache HTTP Server Jamie Riden (Jun 20)
- Re: IPS Evasion with the Apache HTTP Server coderman (Jun 19)