|
Full Disclosure
mailing list archives
Re: Apache Killer
From: "HI-TECH ." <isowarez.isowarez.isowarez () googlemail com>
Date: Thu, 25 Aug 2011 06:43:06 +0200
Hi Michal,
just for the record I have the impression that this not the same vulnerability
you outlined in your advisory a while back. It is more that the idea
for this vulnerability originated from your advisory, not the same bug.
Actually I even think that the while back when you released the advisory
there was a patch for both Apache and IIS by limiting the maximal Byte Range
headers slightly. This is a feeling I got over years of fuzzing for httpd bugs.
Regards,
Kingcope
2011/8/24 HI-TECH . <isowarez.isowarez.isowarez () googlemail com>:
Hi Michal,
What do you think from where this originated ?
Was you outlining it a while back :)
/kc
2011/8/24 Michal Zalewski <lcamtuf () coredump cx>:
http://www.gossamer-threads.com/lists/apache/dev/401638
FWIW, I pointed out the DoS-iness of their Range handling a while ago:
http://seclists.org/bugtraq/2007/Jan/83
/mz
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
 By Date 
By Thread
Current thread:
Re: Apache Killer HI-TECH . (Aug 24)
Re: Apache Killer root (Aug 25)
Re: Apache Killer Michal Zalewski (Aug 25)
Re: Apache Killer root (Aug 25)
Re: Apache Killer Dan Kaminsky (Aug 25)
Re: Apache Killer root (Aug 25)
Re: Apache Killer Dan Kaminsky (Aug 25)
Re: Apache Killer root (Aug 25)
(Thread continues...)
| 
