| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAFB=mGABqpUqjF9ntf=ACav=SaB6S6EYEvER7gZeEYo1A_M3xQ@mail.gmail.com> Date: Thu, 25 Aug 2011 06:43:06 +0200 From: "HI-TECH ." <isowarez.isowarez.isowarez@...glemail.com> To: Michal Zalewski <lcamtuf@...edump.cx> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: Apache Killer Hi Michal, just for the record I have the impression that this not the same vulnerability you outlined in your advisory a while back. It is more that the idea for this vulnerability originated from your advisory, not the same bug. Actually I even think that the while back when you released the advisory there was a patch for both Apache and IIS by limiting the maximal Byte Range headers slightly. This is a feeling I got over years of fuzzing for httpd bugs. Regards, Kingcope 2011/8/24 HI-TECH . <isowarez.isowarez.isowarez@...glemail.com>: > Hi Michal, > What do you think from where this originated ? > Was you outlining it a while back :) > > /kc > > 2011/8/24 Michal Zalewski <lcamtuf@...edump.cx>: >>> http://www.gossamer-threads.com/lists/apache/dev/401638 >> >> FWIW, I pointed out the DoS-iness of their Range handling a while ago: >> http://seclists.org/bugtraq/2007/Jan/83 >> >> /mz >> > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists