[3911] in bugtraq
extra long URL attack
daemon@ATHENA.MIT.EDU (strick -- henry strickland)
Sat Jan 11 11:40:00 1997
Date: Fri, 10 Jan 1997 22:43:10 -0800
Reply-To: strick -- henry strickland <strick@versant.com>
From: strick -- henry strickland <strick@versant.com>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
I don't know about CGI attacks, but this extra long URL to
my site running
Server version Stronghold/1.3 Ben-SSL/1.3 Apache/1.1.1.
will show you the raw contents of the top directory
rather than the /index.html file (using Netscape Navigator 3.0 solaris
for a browser).
i've always wondered how safe it was to count on nobody seeing
past your index.html -- now i know. I wonder if some varient
will get you the root directory of my entire filesystem instead
of just the top directory of my web. I knew I should have
chrooted this stuff....
szia, strick
begin 644 xyz.html.gz
M'XL("(<RUS("`WAY>BYH=&UL`.W:00J#,!2$X7U.D1.\MR_6NZ3V21Z&6&R@
M>'M=B!0\0<O_S6)N,*L9YU+F3VS9W]'KL-C3'\5BZ%+,BXWWW-KKIFK5TR!K
MFJ1:4SFB(GK)60#^W[D&````````````````````P`_X.L'WH7B=.DV]A-T&
(-S/()ETO``#)
`
end
