[1016] in bugtraq
Re: Vulnerability in NCSA HTTPD 1.3
daemon@ATHENA.MIT.EDU (Christopher Davis)
Thu Feb 16 15:56:16 1995
Date: Thu, 16 Feb 1995 13:03:43 -0500
From: Christopher Davis <ckd@loiosh.kei.com>
To: "Robert M. Haas" <rhaas@cygnus.arc.nasa.gov>
Cc: Christopher Davis <ckd@loiosh.kei.com>,
"Paul 'Shag' Walmsley" <ccshag@cclabs.missouri.edu>,
Thomas Lopatic <lopatic@dbs.informatik.uni-muenchen.de>,
bugtraq@fc.net
In-Reply-To: <199502150459.UAA07976@cygnus.arc.nasa.gov>
RMH> == Robert M Haas <rhaas@cygnus.arc.nasa.gov>
ckd> CERN's httpd seems to be a bit smarter about this sort of thing, but
ckd> it's SO huge that even if they have only 10% as many bugs per K,
ckd> they're worse than NCSA.
RMH> Are there known bugs in CERN's httpd? Is there a buglist? If so I
RMH> would appreciate a copy...
I don't know of any bugs in CERN's httpd, and I haven't seen a buglist. I
just noted the huge difference in code size (it's a very coarse metric, I
know, but I find it a useful rule of thumb).
RMH> I'm running CERN's httpd chroot'd, figuring that gives me a little
RMH> room for error. Am I kidding myself?
Probably not. At least chroot() will help matters somewhat.
ObBug1: wn/0.97a and earlier has the same problem as NCSA httpd. Get 0.98.
ObBug2: Netscape doesn't like the WWW-Link http header on images; it'll
show a broken image instead. wn will emit this header. I #ifdef'ed it
out for now (and reported the bug to Netscape Communications).
