[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] IPS Evasion with the Apache HTTP Server

To: "Valdis.Kletnieks@xxxxxx" <Valdis.Kletnieks@xxxxxx>
Subject: Re: [Full-disclosure] IPS Evasion with the Apache HTTP Server
From: coderman <coderman@xxxxxxxxx>
Date: Tue, 19 Jun 2007 14:54:28 -0700

On 6/19/07, Valdis.Kletnieks@xxxxxx <Valdis.Kletnieks@xxxxxx> wrote:
> ...
> I'm tempted to take that bet.  Lot of people have thrown lots of truly wild
> stuff at the Apache code over the years - it may react in *unexpected* ways,
> but it's probably pretty bulletproof.

agreed.

> On the other hand, that little webserver admin tool that's stuffed into one
> corner of your DSL modem's ROM probably got tested ... with little to no
> serious abuse of the interface.

absolutely.  i didn't mean to imply that embedded and lightweight
webservers were more robust, they surely aren't.  only that they would
be much less likely to interpret arbitrary unprintable characters in a
request as valid.

in particular, buffer overflows are not uncommon for embedded devices,
like those who don't expect a request URL to exceed 1024 characters,
etc...

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] IPS Evasion with the Apache HTTP Server
  - From: H D Moore
- Re: [Full-disclosure] IPS Evasion with the Apache HTTP Server
  - From: coderman
- Re: [Full-disclosure] IPS Evasion with the Apache HTTP Server
  - From: Valdis . Kletnieks

Prev by Date: [Full-disclosure] [ GLSA 200706-06 ] Mozilla products: Multiple vulnerabilities
Next by Date: [Full-disclosure] [ GLSA 200706-07 ] PHProjekt: Multiple vulnerabilities
Previous by thread: Re: [Full-disclosure] IPS Evasion with the Apache HTTP Server
Next by thread: Re: [Full-disclosure] IPS Evasion with the Apache HTTP Server
Index(es):
- Date
- Thread