Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Bugtraq: Re: extra long URL attack

Re: extra long URL attack

From: Sam Schlansky <sam_at_serve.com>
Date: Sat, 11 Jan 1997 12:27:01 -0500

This doesn't seem to work with Apache 1.1.1 on my Linux 2.0.27 box or NCSA
httpd 1.5.2 on Digital UNIX v3.2 41 alpha.

Maybe its just the apache SSL extensions somehow?

I tried using Netscape 3.01 both ELF and Win32, lynx 2.5 (linux), lynx 2.6
(Digital unix) and MS Internet Explorer on NT.

Sam

At 10:43 PM 1/10/97 -0800, strick -- henry strickland wrote:
>I don't know about CGI attacks, but this extra long URL to
>my site running
> Server version Stronghold/1.3 Ben-SSL/1.3 Apache/1.1.1.
>will show you the raw contents of the top directory
>rather than the /index.html file (using Netscape Navigator 3.0 solaris
>for a browser).
>
>i've always wondered how safe it was to count on nobody seeing
>past your index.html -- now i know. I wonder if some varient
>will get you the root directory of my entire filesystem instead
>of just the top directory of my web. I knew I should have
>chrooted this stuff....
>
>szia, strick 

--
// Sam Schlansky
// sam_at_serve.com
// http://b52-90.datanet.nyu.edu/sam
// PGP Key ID: 0x63A9D707
PGP Public key available upon request and at webpage.
Received on Jan 11 1997
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos