Netscape Server Attacks
No, calmdown, I haven't found a hole in the server yet, but if you want to win some T-Shirts, here's some potential avenues to try. I've been messing with these, and maybe some other c'punk can find one that will work. 1) buffer overflow attacks in the HTTP request header Example: The HTTP/1.0 full request has an "If-Modified-Since" header which takes a date string. If Netscape assumes this string is not going to be longer than a certain width.... Look for ways to attack the HTTP request headers. See http://www.w3.org/pub/WWW/Protocols/HTTP1.0/draft-ietf-http-spec.html CGI attacks 2)Shell metacharacters, or extremely long paths, may lead the way to executing arbitrary shell commands on the server. 3) Overflow the URL in a CGI GET by using too many form variables in the response. Server attacking client 4) use the Location: redirection header to send a long domain 5) use Location: redirection or Refresh: to load up file:localfile You can force the browser to load up any arbitrary file the user has access to local to his client Example: Refresh: 1 file:config.sys 6) send back a page with an EXTREME number of Motif HTML FORM widgets in a <FORM>. E.g. send back 10,000 radio buttons. Happy Hunting, -Ray
participants (1)
-
Ray Cromwell