There have been some vulnerabilities related to wrong Content-Length
headers (e.g. recently "Content-Length: -1" crashes wwwoffle), however
AFAIK we have no generic test for a very simple attack:
POST more data than announced in Content-Length.
We should be able to kill at least a few embeded web servers...
Am I wrong?
--
mailto:arboi@bigfoot.com
GPG Public keys: http://michel.arboi.free.fr/pubkey.txt
http://michel.arboi.free.fr/ http://arboi.da.ru/
FAQNOPI de fr.comp.securite : http://faqnopi.da.ru/
headers (e.g. recently "Content-Length: -1" crashes wwwoffle), however
AFAIK we have no generic test for a very simple attack:
POST more data than announced in Content-Length.
We should be able to kill at least a few embeded web servers...
Am I wrong?
--
mailto:arboi@bigfoot.com
GPG Public keys: http://michel.arboi.free.fr/pubkey.txt
http://michel.arboi.free.fr/ http://arboi.da.ru/
FAQNOPI de fr.comp.securite : http://faqnopi.da.ru/