[3916] in bugtraq
Re: extra long URL attack
daemon@ATHENA.MIT.EDU (Marc Slemko)
Sun Jan 12 02:14:26 1997
Date: Sat, 11 Jan 1997 14:02:02 -0700
Reply-To: Marc Slemko <marcs@znep.com>
From: Marc Slemko <marcs@znep.com>
X-To: strick -- henry strickland <strick@versant.com>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
In-Reply-To: <199701110643.WAA11911@gwarn.versant.com>
On Fri, 10 Jan 1997, strick -- henry strickland wrote:
> I don't know about CGI attacks, but this extra long URL to
> my site running
> Server version Stronghold/1.3 Ben-SSL/1.3 Apache/1.1.1.
> will show you the raw contents of the top directory
> rather than the /index.html file (using Netscape Navigator 3.0 solaris
> for a browser).
This is dependent on the implementation of the stat(2) call. Apache
currently assumes that if stating the translated path fails, no index file
exists so it should generate one. However, some stats will fail if the
path is longer than a certain limit. This should be fixed in a release
within the next few days or so.
>
> i've always wondered how safe it was to count on nobody seeing
> past your index.html -- now i know. I wonder if some varient
> will get you the root directory of my entire filesystem instead
> of just the top directory of my web. I knew I should have
> chrooted this stuff....
It is unlikely that this particular hole could do that, but chrooting your
web server is seldom a bad thing when you can pull it off.
