RE: Apache vulnerability checking

From: Elan Hasson (elan@daryl.org)
Date: 06/24/02 

From: "Elan Hasson" <elan@daryl.org>
To: "Syzop" <syz@dds.nl>
Date: Mon, 24 Jun 2002 02:24:31 -0400

yahoo runs a private version of apache.

Geocities is owned by yahoo. so i assume the same.

-----Original Message-----
From: Syzop [mailto:syz@dds.nl]
Sent: Sunday, June 23, 2002 6:01 AM
To: vuln-dev@securityfocus.com
Subject: Apache vulnerability checking

Hi,

I've been checking sites for some time now with this
attached prog (and mailing the webmasters), what it does is send a: 

--
GET /checkapache.html HTTP/1.0
Transfer-Encoding: chunked

999999999;
a
0

--
request, and see what happends.
Vulnerable apache: crashes, so connection is closed.
Not vulnerable apache: sends something back
IIS/some other things: waits for more data (?)

Anyway, I thought that when I'm sure it's an apache server
("Server: Apache blabla") and it crashes then it must be vulnerable.
Is this always the case?
This morning I received a mail from some admin who I had mailed
and he told me they had already upgraded.
Full server version:
"Server: Apache/1.3.24 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.8
 OpenSSL/0.9.6b mod_perl/1.26"

So my question is: has redhat changed something in the bad-
chunked-encoding-detected-behavior in their backport
or did this guy just forget to restart apache?

Btw, there are some other "major sites" which do also drop the
connection but I couldn't see if they were running apache servers.
www.tucows.com / www.geocities.com / www.yahoo.com / etc
They do respond to "good" chunked encoding requests.
Anyway I didn't mail them since it could be some weird http
server behavior.

Cya,

    Bram Matthys

Relevant Pages