[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Netscape Server Attacks
No, calmdown, I haven't found a hole in the server yet, but if you
want to win some T-Shirts, here's some potential avenues to try. I've
been messing with these, and maybe some other c'punk can find
one that will work.
1) buffer overflow attacks in the HTTP request header
Example: The HTTP/1.0 full request has an "If-Modified-Since" header
which takes a date string. If Netscape assumes this string is not going
to be longer than a certain width....
Look for ways to attack the HTTP request headers. See
http://www.w3.org/pub/WWW/Protocols/HTTP1.0/draft-ietf-http-spec.html
CGI attacks
2)Shell metacharacters, or extremely long paths, may lead the way to
executing arbitrary shell commands on the server.
3) Overflow the URL in a CGI GET by using too many form variables in
the response.
Server attacking client
4) use the Location: redirection header to send a long domain
5) use Location: redirection or Refresh: to load up file:localfile
You can force the browser to load up any arbitrary file the user
has access to local to his client
Example: Refresh: 1 file:config.sys
6) send back a page with an EXTREME number of Motif HTML FORM widgets
in a <FORM>. E.g. send back 10,000 radio buttons.
Happy Hunting,
-Ray