Mailing List Archive: apache hole

apache hole

Jun 18, 2002, 12:35 AM

Post #1 of 3 (695 views)

i am going to write a script for the apache hole (banner based).

here more information if someone wants to write a fully exploit for this
hole:

[Apache Group] http://httpd.apache.org/info/security_bulletin_20020617.txt
[Apache CVS]
http://cvs.apache.org/viewcvs.cgi/apache-1.3/src/main/http_protocol.c
[X-Force ISS]
http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20502

Versions: Apache 1.3 all versions including 1.3.24, Apache 2 all versions
up to 2.0.36

Regards,
Felix Huber

Re: apache hole [ In reply to ]

huberfelix at webtopia

Jun 18, 2002, 12:40 AM

Post #2 of 3 (673 views)

Permalink

Oh, just saw that Renaud already released a Script:
http://www.nessus.org/nasl/apache_chunked_encoding.nasl

----- Original Message -----
From: "Felix Huber" <huberfelix@webtopia.de>
To: <plugins-writers@list.nessus.org>
Sent: Tuesday, June 18, 2002 9:35 AM
Subject: apache hole

> i am going to write a script for the apache hole (banner based).
>
> here more information if someone wants to write a fully exploit for this
> hole:
>
> [Apache Group] http://httpd.apache.org/info/security_bulletin_20020617.txt
> [Apache CVS]
> http://cvs.apache.org/viewcvs.cgi/apache-1.3/src/main/http_protocol.c
> [X-Force ISS]
> http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20502
>
> Versions: Apache 1.3 all versions including 1.3.24, Apache 2 all versions
> up to 2.0.36
>
> Regards,
> Felix Huber
>

Re: apache hole [ In reply to ]

deraison at nessus

Jun 18, 2002, 1:37 AM

Post #3 of 3 (682 views)

Permalink

On Tue, Jun 18, 2002 at 09:40:53AM +0200, Felix Huber wrote:
> Oh, just saw that Renaud already released a Script:
> http://www.nessus.org/nasl/apache_chunked_encoding.nasl

Not a good one though - just pattern matching on version number. I'll
try to get more info about the hole and write a proper script.