HP3000-L Archives

February 1996, Week 4

HP3000-L@RAVEN.UTC.EDU
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: HTTPd 1.3 Security Problem
From:
Jeff Kell <[log in to unmask]>
Reply To:
Jeff Kell <[log in to unmask]>
Date:
Tue, 27 Feb 1996 15:42:30 EST
Content-Type:
text/plain
Parts/Attachments:
text/plain (14 lines) 
On Tue, 27 Feb 1996 13:33:00 -0500 Rebecca Bole said:
>We recently downloaded the MPE/iX version of HTTPd 1.3 from jazz.  Since we
>know very little about Web servers here, I was browsing through the
>HTTPd documentation on http://hoohoo.ncsa.uiuc.edu and found a WWW Security
>FAQ that said there was a "serious security hole" in HTTPd versions prior
>to 1.4.
 
The 3000 version does NOT have this security hole; if it is attacked, it will
abort with a VSM error.  The "hole" was used to send more data into a buffer
than the server expected, sneaking in code to be executed.  MPE does not allow
you to write to code pages nor branch to data pages so it simply aborts.
 
Jeff Kell <[log in to unmask]>

ATOM RSS1 RSS2