That is EXACTLY the kind of glaring inaccuracies I was looking for..
Cheers.
Sampsa
On 22 Sep 2009, at 21:03, Steve Davidson wrote:
Sampsa,
TOPS-20 never ran on a PDP-11. TOPS-20 ran on the 36-bit DECsystem-20.
-Steve
-----Original Message-----
From: owner-hecnet at Update.UU.SE [mailto:owner-hecnet at Update.UU.SE] On
Behalf Of Sampsa Laine
Sent: Tuesday, September 22, 2009 15:56
To: hecnet at Update.UU.SE
Subject: Re: [HECnet] Security hole in CSWS
Guys, I've written a quick blurb about the flaw I found etc that I'm
posting on my blog once the Apace guys say they're releasing it.
Comments? Glaring factual inaccuracies? The intended audience is a
fairly technical bunch, prob mostly infosec consultants and pentesters.
http://rhesus.sampsa.com/csws-flaw/
On 22 Sep 2009, at 20:34, Sampsa Laine wrote:
It appears that
RewriteRule (;[0-9]*\?)|(;[0-9]*$) [R]
works as well.
The VMS Apache guys know about this and are working on it as we
speak, but I would suggest letting any clients etc know about this
before the formal advisory goes out as I should think this will hit
the automated testing tools such as Nessus pretty soon after that.
Sampsa
On 22 Sep 2009, at 20:27, Pontus wrote:
Hi
I'm not going to pretend I know mod_rewrite, but I spent some time
with
the docs and thought you could use the grouping info to replace with
what you matched:
(.*)(;[0-9]*\?) $1
(.*)(;[0-9]*$) $1
(I wrote two rules as I'm uncertain how the | binds)
Alternatively this passage from the docs might provide an alternative
solution:
<snip>
Additionally you can set special flags for Substitution by appending
[flags]
as the third argument to the RewriteRule directive. Flags is a
comma-separated list of the following flags:
<...>
- *||*'forbidden|F' (force URL to be forbidden)
This forces the current URL to be forbidden, i.e., it immediately
sends
back a HTTP response of 403 (FORBIDDEN). Use this flag in conjunction
with appropriate RewriteConds to conditionally block some URLs.
</snip>
Then you could at least avoid people reading the source.
/Pontus.
Sampsa Laine wrote:
Dennis,
I've got the rule down to:
RewriteRule (;[0-9]*\?)|(;[0-9]*$) /
but this is not ideal, as I don't really want to replace the ;
with a
/, just drop it but can't figure out the syntax for "replace with
nothing".
Any ideas?
Sampsa
On 21 Sep 2009, at 22:12, Dennis Boone wrote:
Yes, I have reported it to VMS engineering in India about an
hour ago
(well I assume in India, the guys had subcontinent accents) and
they
said they'd get back to me.
In the meantime, if CSWS has mod_rewrite, you might be able to
produce a
temporary fix in the form of a rewrite rule that rips the ;* off
the
end[1]
of .php urls.
[1] Well, ok, might be the middle too, if it's a GET with
parameters,
but that's just a slightly more involved pattern.
De