Subj : bbs shut down http log
To   : Digital Man
From : zztzed
Date : Tue Jun 28 2005 02:12 pm

On 06-27-05 20:46, Digital Man wrote to DieselMan in DOVE-Net Unix Discussion:

 DM> Looks like an inadvertent bug in the web server. It wasn't "hacked".
 DM> If/when I or Deuce and reproduce the problem (soon hopefully), we'll
 DM> fix it.

As far as I can tell, the problem is that it writes the raw contents of the
HTTP request to the console.  Under normal circumstances this wouldn't be a
problem, since a browser will URL-encode nonprintable control characters and
characters greater than ASCII 127.  Someone telnetting to port 80, or a worm
scanning for hosts to infect, on the other hand, probably wouldn't.

The steps I took to reproduce the problem were:
   1. telnet to my BBS's webserver
   2. enter some control characters and high-ASCII junk 
   3. observe as it is reproduced on the SBBS console basically verbatim


.... Despite the high cost of living, it remains popular.
--- MultiMail/Win32 v0.46
 þ Synchronet þ One-Armed Scissor - telnet://bbs.geekmafia.net:9923/

.