Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: IPS Evasion with the Apache HTTP Server
From: coderman <coderman () gmail com>
Date: Tue, 19 Jun 2007 14:54:28 -0700

On 6/19/07, Valdis.Kletnieks () vt edu <Valdis.Kletnieks () vt edu> wrote:
I'm tempted to take that bet.  Lot of people have thrown lots of truly wild
stuff at the Apache code over the years - it may react in *unexpected* ways,
but it's probably pretty bulletproof.


On the other hand, that little webserver admin tool that's stuffed into one
corner of your DSL modem's ROM probably got tested ... with little to no
serious abuse of the interface.

absolutely.  i didn't mean to imply that embedded and lightweight
webservers were more robust, they surely aren't.  only that they would
be much less likely to interpret arbitrary unprintable characters in a
request as valid.

in particular, buffer overflows are not uncommon for embedded devices,
like those who don't expect a request URL to exceed 1024 characters,

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]