extra long URL attack

[Dean Gaudet <dg...@arctic.org>]

I'm pretty sure we deliberately fixed this bug as opposed to it just being
fixed by chance... but I thought I'd forward it anyhow.

Dean

---------- Forwarded message ----------
Date: Fri, 10 Jan 1997 22:43:10 -0800
From: strick -- henry strickland <st...@versant.com>
To: Multiple recipients of list BUGTRAQ <BU...@NETSPACE.ORG>
Subject: extra long URL attack

I don't know about CGI attacks, but this extra long URL to
my site running
        Server version Stronghold/1.3 Ben-SSL/1.3 Apache/1.1.1.
will show you the raw contents of the top directory
rather than the /index.html file (using Netscape Navigator 3.0 solaris
for a browser).

i've always wondered how safe it was to count on nobody seeing
past your index.html -- now i know.  I wonder if some varient
will get you the root directory of my entire filesystem instead
of just the top directory of my web.  I knew I should have
chrooted this stuff....

szia, strick


begin 644 xyz.html.gz
M'XL("(<RUS("`WAY>BYH=&UL`.W:00J#,!2$X7U.D1.\MR_6NZ3V21Z&6&R@
M>'M=B!0\0<O_S6)N,*L9YU+F3VS9W]'KL-C3'\5BZ%+,BXWWW-KKIFK5TR!K
MFJ1:4SFB(GK)60#^W[D&````````````````````P`_X.L'WH7B=.DV]A-T&
(-S/()ETO``#)
`
end



---------- Forwarded message ----------
Date: Sat, 11 Jan 1997 11:52:05 -0500
From: John Robert LoVerso <jo...@loverso.southborough.ma.us>
To: Multiple recipients of list BUGTRAQ <BU...@NETSPACE.ORG>
Subject: Re: extra long URL attack

> but this extra long URL to my site running
>        Server version Stronghold/1.3 Ben-SSL/1.3 Apache/1.1.1.
> will show you the raw contents of the top directory

You're was the only server (that I tried) that this worked on.  In particular,
it does not work against Apache/1.2bX sites, including:

        Server: Stronghold/2.0b1 Apache/1.2b2

John



---------- Forwarded message ----------
Date: Sat, 11 Jan 1997 19:21:48 +0200
From: Jyri Kaljundi <jk...@stallion.ee>
To: Multiple recipients of list BUGTRAQ <BU...@netspace.org>
Subject: Re: extra long URL attack

On Fri, 10 Jan 1997, strick -- henry strickland wrote:

> I don't know about CGI attacks, but this extra long URL to
> my site running
>         Server version Stronghold/1.3 Ben-SSL/1.3 Apache/1.1.1.
> will show you the raw contents of the top directory
> rather than the /index.html file (using Netscape Navigator 3.0 solaris
> for a browser).

This works also for standard Apache 1.1.1. One solution is to turn off
indexing in Apache config. In your access.conf file, in Options just
remove the word Indexes.

Juri Kaljundi
jk@stallion.ee



---------- Forwarded message ----------
Date: Sat, 11 Jan 1997 12:27:01 -0500
From: Sam Schlansky <sa...@serve.com>
To: Multiple recipients of list BUGTRAQ <BU...@netspace.org>
Subject: Re: extra long URL attack

This doesn't seem to work with Apache 1.1.1 on my Linux 2.0.27 box or NCSA
httpd 1.5.2 on Digital UNIX v3.2 41 alpha.

Maybe its just the apache SSL extensions somehow?

I tried using Netscape 3.01 both ELF and Win32, lynx 2.5 (linux), lynx 2.6
(Digital unix) and MS Internet Explorer on NT.

Sam

At 10:43 PM 1/10/97 -0800, strick -- henry strickland wrote:
>I don't know about CGI attacks, but this extra long URL to
>my site running
>        Server version Stronghold/1.3 Ben-SSL/1.3 Apache/1.1.1.
>will show you the raw contents of the top directory
>rather than the /index.html file (using Netscape Navigator 3.0 solaris
>for a browser).
>
>i've always wondered how safe it was to count on nobody seeing
>past your index.html -- now i know.  I wonder if some varient
>will get you the root directory of my entire filesystem instead
>of just the top directory of my web.  I knew I should have
>chrooted this stuff....
>
>szia, strick
--

// Sam Schlansky
// sam@serve.com
// http://b52-90.datanet.nyu.edu/sam
// PGP Key ID: 0x63A9D707

PGP Public key available upon request and at webpage.