[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Apache Killer

To: Michal Zalewski <lcamtuf@xxxxxxxxxxx>
Subject: Re: [Full-disclosure] Apache Killer
From: "HI-TECH ." <isowarez.isowarez.isowarez@xxxxxxxxxxxxxx>
Date: Thu, 25 Aug 2011 06:43:06 +0200

Hi Michal,
just for the record I have the impression that this not the same vulnerability
you outlined in your advisory a while back. It is more that the idea
for this vulnerability originated from your advisory, not the same bug.
Actually I even think that the while back when you released the advisory
there was a patch for both Apache and IIS by limiting the maximal Byte Range
headers slightly. This is a feeling I got over years of fuzzing for httpd bugs.

Regards,

Kingcope

2011/8/24 HI-TECH . <isowarez.isowarez.isowarez@xxxxxxxxxxxxxx>:
> Hi Michal,
> What do you think from where this originated ?
> Was you outlining it a while back :)
>
> /kc
>
> 2011/8/24 Michal Zalewski <lcamtuf@xxxxxxxxxxx>:
>>> http://www.gossamer-threads.com/lists/apache/dev/401638
>>
>> FWIW, I pointed out the DoS-iness of their Range handling a while ago:
>> http://seclists.org/bugtraq/2007/Jan/83
>>
>> /mz
>>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Apache Killer
  - From: Michal Zalewski

References:
- [Full-disclosure] Apache Killer
  - From: HI-TECH .
- Re: [Full-disclosure] Apache Killer
  - From: Moritz Naumann
- Re: [Full-disclosure] Apache Killer
  - From: HI-TECH .
- Re: [Full-disclosure] Apache Killer
  - From: Michal Zalewski
- Re: [Full-disclosure] Apache Killer
  - From: HI-TECH .

Prev by Date: Re: [Full-disclosure] Apache Killer
Next by Date: Re: [Full-disclosure] Apache Killer
Previous by thread: Re: [Full-disclosure] Apache Killer
Next by thread: Re: [Full-disclosure] Apache Killer
Index(es):
- Date
- Thread