Message from Ken at Jul 30 09:26 in parts: K> Tested & Vulnerable apache 1.3.4 on bsdi 4.0 K> Turned off "MultiViews" & now we're not vulnerable. K> Multiviews controls content negotiation, so you could have some problems K> if you have multilingual customer base, but this isn't much of an issue K> for us. K> This is the easy fix, yes? The most easiest, due and secure way to fix that is to upgrade Apache server to the fixed version, as it did the person who reported below. This is a generally bad idea to test vulnerabilities of older versions and proudly report it to Bugtraq when anybody may get the most correct information from Release Notes @ www.apache.org K> > >I was unable to reproduce it on Apache 1.3.20/PHP4.0.6/mysql-3.23.36 on K> > >Slackware 7.0. SY, Seva Gluschenko, just stranger on The Road. | http://gvs.rinet.ru/ Cronyx Plus / RiNet network administrator. | GVS-RIPE | GVS3-RIPN
