You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Ben Laurie <be...@gonzo.ben.algroup.co.uk> on 1997/01/23 11:15:18 UTC
Misleading directions
The front page on www.apache.org suggests upgrading to a 1.2 beta to fix the
recent holes. Snag is 1.2b4 still allows the multiple slash hole...
Cheers,
Ben.
--
Ben Laurie Phone: +44 (181) 994 6435 Email: ben@algroup.co.uk
Freelance Consultant and Fax: +44 (181) 994 6472
Technical Director URL: http://www.algroup.co.uk/Apache-SSL
A.L. Digital Ltd, Apache Group member (http://www.apache.org)
London, England. Apache-SSL author
Re: Misleading directions
Posted by Marc Slemko <ma...@znep.com>.
No, the cookie buffer overflow is the one that is arguably not a problem
in 1.2b4 because it is allocated on the heap, not the stack. This means
you can't use the standard trick of overwriting the (saved) program
counter, etc. to gain control. It doesn't necessarily mean it is
unexploitable, but it is generally far far harder.
The mod_dir problem is in 1.2b4.
On Fri, 24 Jan 1997, Brian Behlendorf wrote:
> On Thu, 23 Jan 1997, Ben Laurie wrote:
> > The front page on www.apache.org suggests upgrading to a 1.2 beta to fix the
> > recent holes. Snag is 1.2b4 still allows the multiple slash hole...
>
> I thought it was not a problem in 1.2b4?
>
> Brian
>
> --=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
> brian@organic.com www.apache.org hyperreal.com http://www.organic.com/JOBS
>
Re: Misleading directions
Posted by Brian Behlendorf <br...@organic.com>.
On Thu, 23 Jan 1997, Ben Laurie wrote:
> The front page on www.apache.org suggests upgrading to a 1.2 beta to fix the
> recent holes. Snag is 1.2b4 still allows the multiple slash hole...
I thought it was not a problem in 1.2b4?
Brian
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
brian@organic.com www.apache.org hyperreal.com http://www.organic.com/JOBS