On Tue, 27 Feb 1996 13:33:00 -0500 Rebecca Bole said:
>We recently downloaded the MPE/iX version of HTTPd 1.3 from jazz. Since we
>know very little about Web servers here, I was browsing through the
>HTTPd documentation on http://hoohoo.ncsa.uiuc.edu and found a WWW Security
>FAQ that said there was a "serious security hole" in HTTPd versions prior
>to 1.4.
The 3000 version does NOT have this security hole; if it is attacked, it will
abort with a VSM error. The "hole" was used to send more data into a buffer
than the server expected, sneaking in code to be executed. MPE does not allow
you to write to code pages nor branch to data pages so it simply aborts.
Jeff Kell <[log in to unmask]>