No subject

Tue Jun 4 12:17:20 MDT 2013

From: Mark J Cox <mjc at>
To: bugtraq at
Subject: Apache httpd: vulnerability with chunked encoding
Date: June 17, 2002
Product: Apache Web Server
Versions: Apache 1.3 all versions including 1.3.24, Apache 2 all versions
up to 2.0.39


While testing for Oracle vulnerabilities, Mark Litchfield discovered a
denial of service attack for Apache on Windows.  Investigation by the
Apache Software Foundation showed that this issue has a wider scope, which
on some platforms results in a denial of service vulnerability, while on
some other platforms presents a potential a remote exploit vulnerability.

We were also notified today by ISS that they had published the same issue
which has forced the early release of this advisory.

The Common Vulnerabilities and Exposures project ( has
assigned the name CAN-2002-0392 to this issue.

ISS jumped the gun without contacting the Apache httpd team and blew a
coordinated Apache/Oracle/IBM/CERT effort.  A lot of people are royally
ticked with them for this, they didn't try to minimize the damage at all
but instead went for the publicity.  I'm a full disclosure advocate but
NGSSoftware was handling this responsibly and ISS (normally a reputable
company) messed up badly.

Jonathan Conway						      rise at
history is paling & my surge protection failed, & so I FRIED
						- Concrete Blonde, "Fried"

More information about the LUG mailing list