Re: IBM HTTP SERVER / APACHE (fwd)

[Bill Stoddard <re...@attglobal.net>]

It almost certainly applies to Apache, or at least to 1.3.7-dev as IHS doesn't change any of this
code.  I suspect it is broken on the current releases (1.3.12) as well.

Bill

----- Original Message -----
From: "Marc Slemko" <ma...@znep.com>
To: <se...@apache.org>; "TLOSAP" <ne...@apache.org>
Sent: Thursday, June 01, 2000 1:48 AM
Subject: IBM HTTP SERVER / APACHE (fwd)


> FYI.
>
> It may or may not apply to Apache itself on Win32, and may or may not be
> fixed in current versions.  What is happening here is almost certainly
> that it tries to look for index.html, etc. and the error code isn't
> properly interpreted to mean "that is too long, so bail".
>
> ---------- Forwarded message ----------
> Date: Wed, 31 May 2000 18:34:30 -0000
> From: Marek Roy <ma...@HOTMAIL.COM>
> To: BUGTRAQ@SECURITYFOCUS.COM
> Subject: IBM HTTP SERVER / APACHE
>
> I haven't seen any advisories for IBM HTTP SERVER running
> Apache.
>
> There is a crucial number of "/" (forward slash) you can
> use to retrieve the contents of the root directory of this
> particular Web Server.  Using this vulnerability, you can
> retrieve any files or scripts running from that directory
> and sub-directories.
>
> The number of "/" used to reproduce this can be different
> from one server to another.  I don't have enough time to do
> more testing.  However, feel free to add some more info to
> this quick advisory.
>
> You can get a trial copy at:
>
> http://www-
> 4.ibm.com/software/webservers/httpservers/download.html#v136
>
> ====
>
> Vulnerable:
> Server: IBM_HTTP_Server/1.3.6.2 Apache/1.3.7-dev (Win32)
>
> Not Vulnerable:
> Server: IBM_HTTP_Server/1.3.6.2 Apache/1.3.7-dev (Unix)
>
> ====
>
> If you send a GET request of 210 "/", you get:
> The actual Web Page.
> ----
> If you send a GET request of 211 "/", you get:
> Index of /
> -----
> If you send a GET request of 212 "/", you get:
>
> Forbidden
> You don't have permission to access
> "/" x 212 on this server.
>
>
> Marek Roy
>
>