Re: [Full-Disclosure] Does the Windows AUX bug affect Web servers also?

From: Michael Bemmerl (security_at_astrobox.net)
Date: 07/09/03

  • Next message: gregh: "[Full-Disclosure] Zone Alarm Pro"
    To: "Full Disclosure" <full-disclosure@lists.netsys.com>
    Date: Wed, 9 Jul 2003 22:07:08 +0200
    
    

    I tested it with Apache 1.3.27 on my win-box with
    GET/POST/PUT/OPTIONS/-requests. It just displays me the default 403
    error-page.
    Here the line of the error.log-logfile:
    [Wed Jul 09 21:40:23 2003] [error] [client 127.0.0.1] Filename is not valid:
    d:/inetserv-docroot/aux

    ----- Original Message -----
    From: "Richard M. Smith" <rms@computerbytesman.com>
    To: <full-disclosure@lists.netsys.com>
    Sent: Wednesday, July 09, 2003 6:49 PM
    Subject: [Full-Disclosure] Does the Windows AUX bug affect Web servers also?

    > Is it possible to also crash a Web server hosted on a Windows box using
    > a URL something like:
    >
    > http://www.somebody.com/aux
    >
    > If this particular URL is okay, maybe there are other URLs that will
    > cause a crash. For example, POSTing a form to a URL containing AUX.
    >
    > This problem could be in any Windows Web server such as IIS, Apache,
    > ColdFusion, etc..
    >
    > (I don't have access to a Windows Web server to try this out myself.)
    >
    > Richard
    >
    > -----Original Message-----
    > From: full-disclosure-admin@lists.netsys.com
    > [mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of
    > xc3ed@phreaker.net
    > Sent: Wednesday, July 09, 2003 7:39 AM
    > To: full-disclosure@lists.netsys.com
    > Cc: KF
    > Subject: Re: [Full-Disclosure] Internet Explorer 6 DoS Bug
    >
    >
    > duplicated in Windows 2003 Server, datacenter edition, IE v6.0.3790.0
    >
    > regards, xsr
    >
    > _______________________________________________
    > Full-Disclosure - We believe in it.
    > Charter: http://lists.netsys.com/full-disclosure-charter.html
    >
    >
    >

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: gregh: "[Full-Disclosure] Zone Alarm Pro"

    Relevant Pages

    • RE: New Web Server
      ... Subject: New Web Server ... I have read all of your responses up to this point, ... Then pick the apache module... ... loaded from the ports. ...
      (freebsd-questions)
    • Re: any try this forth webserver? the code looks incomprehensible to me http://www.jwdt.com/~paysan/
      ... statements; what are the control variables in a loop; what arguments ... web server works, then none of this is going to make any sense to ... web servers like Apache, your mind seemed to latch onto the notion ... He only cares about text/html, ...
      (comp.lang.forth)
    • Re: PHP + IIS + Visual Studio.NET 2005 and Apache
      ... The apache version that comes with VS.Php however will shut itself down ... Apache or IIS. ... to use the DBG module installed inside PHP inside the version of Apache ... bundled with VS.php in case you do not have any other web server installed. ...
      (alt.php)
    • IPTABLES & APACHE
      ... I'm aware that apache can be configured to achieve a certain kind ... server is still granted to the BLOCKEDIP address. ... and the blocked IP can still access the web server. ... possible since iptables is what controls the kernel routing. ...
      (comp.os.linux.networking)
    • Re: Allowing apache external access
      ... > I have Apache web server running on a Win XP system. ... > ZoneAlarm as firewall and also Norton System Works, ... Internet, then why not just put it out there with nothing protecting it, ...
      (comp.security.firewalls)