Apache Exploit released by Gobbles: SecurityFocus

Navigation

User login

GWT in Practice at Manning
GWT in Practice at Amazon
GWT Resources

Unlocking Android at Manning
Unlocking Android at Amazon
Android Resources

Quote

Carl Sagan

I maintain there is much more wonder in science than in pseudoscience. And in addition, to whatever measure this term has any meaning, science has the additional virtue, and it is not an inconsiderable one, of being true.

Apache Exploit released by Gobbles: SecurityFocus

Fri, 06/21/2002 - 09:27 — charlie.collins

Gobbles relased source code for the Apache chunked encoding exploit that will give the attacker a shell prompt. Pretty serious stuff, upgrade your damn apache. This release was source for a BSD exploit, but its there, its exploitable on all Linux platforms.

Gobbles was "fed up with the bullshit" from all the other security "experts" stating that this was not an exploitbale problem and decided to release the exploit to prove a point. It can be done and you dont need to pay some silly ass security consultant to tell you it cant. You also shouldnt listen to anything else that consultant has to say because all they have proven is that they dont know what they are talking about (I read several articles and even believed myself that this was not a big issue on Unix, I was wrong, I patched days ago anyway, but I dont charge people big money and dont purport to be an expert).

I like the move, the problem should be known, source code and all. That I think is part of the foundation that makes open source better. The good the bad and the ugly are AVAILABLE, KNOWN, etc. Of course there is already a patch, there was almost immediately upon publication of the theoretical exploit. Get the patch (still amazes me how many machines, Windows and UNIX, are exploitable based on ancient issues that have never been patched).

For more see the linked SecurityFocus article. Apache Exploit released by Gobbles: SecurityFocus