You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Ben Laurie <be...@gonzo.ben.algroup.co.uk> on 1996/04/22 20:16:24 UTC

Re: security hole. bluff?

Brian Behlendorf wrote:
> 
> On Mon, 22 Apr 1996, Tom Tromey wrote:
> > Rob> has anyone yet seen an example of how to exploit the recent
> > Rob> security "hole"?
> > 
> > I saw a note on comp.infosystems.www.servers.unix that indicated that
> > there was no way to exploit the hole.  The message said that the
> > reason \n should be escaped is for poorly-written CGIs.  The author
> > said he had talked to the originator of the report...
> > 
> > I have no idea if this bears any relation to reality.
> 
> The gentleman whose message I responded to, bcc'ing the list, came back 
> and said "I don't have to prove anything to you, if you just read 
> comp.security you're way out of the loop, this hole has compromised 
> some of the biggest sites on the net".  I asked him to put up or shut up, 
> and he has yet to come back.  

Perhaps its all a plot by Netscape to get Apache's security alert level up near
their's [insert massive smiley here].

Cheers,

Ben.

> 
> 	Brian
> 
> --=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
> brian@organic.com  |  We're hiring!  http://www.organic.com/Home/Info/Jobs/
> 

-- 
Ben Laurie                  Phone: +44 (181) 994 6435
Freelance Consultant and    Fax:   +44 (181) 994 6472
Technical Director          Email: ben@algroup.co.uk
A.L. Digital Ltd,           URL: http://www.algroup.co.uk
London, England.