On Tue, 19 Jun 2007 12:44:00 PDT, coderman said: > is there a page somewhere that details which web servers handle sloppy > input? (i bet the embedded httpd's are the most resistant) I'm tempted to take that bet. Lot of people have thrown lots of truly wild stuff at the Apache code over the years - it may react in *unexpected* ways, but it's probably pretty bulletproof. On the other hand, that little webserver admin tool that's stuffed into one corner of your DSL modem's ROM probably got tested: "Each menu goes to the page it's supposed to, if you enter an IP here it sets it, if you enter a port there it DTRT", with little to no serious abuse of the interface. I'll bet half the gear out there, the test suite never even *considered* that maybe a 0x0c should be sent, even if just for shits-n-giggles to see what happens.
Attachment:
pgp0OKLNmz1pG.pgp
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/