[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <Law10-OE523s1wsXZZT000018b7@hotmail.com>
Date: Sat, 26 Apr 2003 15:53:34 -0700
From: "Justin [GHA]" <fanderatm@...mail.com>
To: "Kim De Smaele" <kim.de.smaele@...dora.be>,
<bugtraq@...urityfocus.com>
Cc: <debian-security@...ts.debian.org>
Subject: Re: Apache http server 2.0
I tried the following query and didn't experience anything odd.
http://www.google.com/search?hl=en&lr=&ie=ISO-8859-1&q=%22%2C.%2F%5C%5B%5D%2
F-%21%60%7E@...%24%25%5E%3D%2B%28%29-%7B%7D%3C%3E%3B%3A%7C%27%22
The hex here is the string ,./\[]-!`~@...^=+()-{}<>;:| '"
Any combination of these characters will result in only the header of the
google search,a dn the copyright to be displayed.
I also tried queries such as "�" This returned the same
results. Although, a query of "0" returned appropriate results, "/"
returned nothing again. It is speculated that all characters with an ASCII
value of 0-47, excluding 42, will return nothing.
Further research is need, however, this may only be a bug, rather than
something that is exploitable.
http://search.yahoo.com/bin/search?p=%2C.%2F%5C%5B%5D-%21%60%7E@%23%24%25%5E
%3D%2B%28%29-%7B%7D%3C%3E%3B%3A%7C+%27%22&ei=UTF-8 also did not display
anything odd
-Justin
GHA - http://gha.bravepages.com
----- Original Message -----
From: "Kim De Smaele" <kim.de.smaele@...dora.be>
To: <bugtraq@...urityfocus.com>
Cc: <debian-security@...ts.debian.org>
Sent: Friday, April 25, 2003 5:20 PM
Subject: Apache http server 2.0
> Hi all,
>
> I experienced a very strange apache responce today in our production
> environment at work. A user in a discussion room a posting containing
> the following characters:
>
> ,,''
>
> This gave the result that several pages could not longer be displayed.
> I also tried this on search engine http://www.google.com which gave the
> same result. Nothing of results and not even the message "no results
> found..." could be display. If you even keep on refreshing you will
> notice that also the google logo will disappear.
> On our servers, we didn't notice anything in the logs.
>
> I have done a test with several browsers and I had every time the same
> result as described above:
>
> Internet Explorer
> Netscape (windows)
> Mozilla (Linux)
> Opera (Linux)
>
> Personally I'm not sure but I'm getting the idea that this might me
> exploitable. For example, executing code/commands after using the
> characters as mentioned above followed by the code or the commands in a
> search engine, discussion rooms,...
>
> Kind regards,
>
> Kim De Smaele
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@...ts.debian.org
> with a subject of "unsubscribe". Trouble? Contact
listmaster@...ts.debian.org
>
>
Powered by blists - more mailing lists