mailing list archives
Re: Fw: Bugtraq ID 2503 : Apache Artificially Long Slash Path Directory Listing Exploit
From: rain forest puppy <rfp () wiretrip net>
Date: Thu, 28 Jun 2001 18:06:52 -0500 (CDT)
Well, I might as well have my hand in recoding this exploit. ;)
Attached is apache3.pl, which is a recoded version of Siberian's recode of
Matt Watchinski's exploit. My version uses libwhisker, which allows the
exploit to have HTTP/1.1, proxy, and SSL support automatically. Basic
support (not including SSL) should work for any platform having Perl.
To use the attached exploit, you'll need a copy of libwhisker. The latest
is pr3, downloadable at:
You can either grab the developer tarball and build/install it, or just
grab the libwhisker.pm, put it in the same directory as the apache3.pl,
and just run apache3.pl--perl will use the libwhisker.pm module in the
For SSL support, you'll need either Crypt::SSLeay or Net::SSLeay installed
(which may require OpenSSL). I think ActiveState has ported
Crypt::SSLeay/Net::SSL (not Net::SSLeay) over to Windows, so Windows users
should have SSL support as well.
If anyone is interested in libwhisker and further using it, consider
joinging the whisker-devel mailing list at:
And as always, feedback always welcome. See everyone at BlackHat/DefCon!