Contributed by Dengue on from the errata dept.
"A buffer overflow can occur during the interpretation of chunked encoding in the http daemon, leading to possible remote crash."Many thanks to ViPER - DMRT for reminding me to post this.
(Comments are closed)
By Anonymous Coward () on
Comments
By Anonymous Coward () on
By Cabal () on
Comments
By Anonymous Coward () on
Comments
By Anonymous Coward () on
Comments
By rosie_bhjp () rosie_bhjp@fusedotnet on mailto:rosie_bhjp@fusedotnet
Comments
By patryck () on http://www.prozaq.nl
By Lars () on
By Frank Denis () j@bitchy-sex.com on http://www.bitchy-sex.com/
By Vincent Foley () on
Comments
By Miod Vallat () miod@openbsd.org on mailto:miod@openbsd.org
Comments
By Vincent Foley () on
Comments
By Anonymous Coward () on
By Vincent Foley () on
Comments
By Miod Vallat () miod@openbsd.org on mailto:miod@openbsd.org
By tony () tony@libpcap.net on www.libpcap.net
Comments
By Anonymous Coward () on
By Nobody () on
Comments
By Jason () on
By RC () on
Comments
By Nobody () on
Comments
By _azure () on
By Anonymous Coward () on
By Anonymous Coward () on
"default install" is what you have if you don't fiddle with the configuration after installation. If you do, like enabling Apache, the guarantee is gone.
By Anonymous Coward () on
Kind of funny how much attention this little line gets.
--
Install it, run it, love it. Or move on. OpenBSD
kicks butt.
Comments
By Anonymous Coward () on
By Anonymous Coward () on
Which is probably why even "safe" unpriv daemons are shut off with the default install.
That being said, it still kicks the fuck out of everything else out there; and I'm just happy to
be using it.
By JC () on
http://online.securityfocus.com/archive/1/277830/2002-06-18/2002-06-24/2
Anyone tried it yet?
I sense this vulnerability could turn into a mess..
JC
PS: Reassure me: it is normal for Apache to still show version 1.3.24 after patching (patch 005 on obsd 3.1) right?
By JC () on
http://online.securityfocus.com/archive/1/277830/2002-06-18/2002-06-24/2
Anyone tried it yet?
I sense this vulnerability could turn into a mess..
JC
PS: Reassure me: it is normal for Apache to still show version 1.3.24 after patching (patch 005 on obsd 3.1) right?
Comments
By JC () on
By Anonymous Coward () on
It manages to segfault apache children allright, but it doesn't spawn a shell. It just prints out "Ooops.. hehehe", which signifies that it failed...
It's been running in bruteforce mode too for about 10 minutes now, but I don't expect it's going to make it...
--------------------
$ ./apache-scalp 5 127.0.0.1:80
[*] Connecting.. connected!
[*] Currently using retaddr 0x9011a, length 29896, localport 15045
Ooops.. hehehe!
--------------------
(note: other targets fail too)
Comments
By Anonymous Coward () on
Either that or I'm just too stupid to use the exploit correctly -- which is always a possibility.
Comments
By Anonymous Coward () on
By Michael Anuzis () michael_anuzis@hotmail.com on http://www.anuzis.net/apachescalp.txt
http://www.anuzis.net/apachescalp.txt
--Michael
Comments
By Anonymous Coward () on
MY default install of 3.1
/usr/sbin/httpd -v
Server version: Apache/1.3.24 (Unix)
Server built: Apr 10 2002 16:15:30
-
-
Am I missing something in this little drama?
Comments
By Michael Anuzis () on
By Miod Vallat () miod@openbsd.org on mailto:miod@openbsd.org