This is affecting Tomcat and likely other web servers too.

IC Stars: This is affecting Tomcat and likely other web servers too.

Yeah, it's actually easier to make a list of servers that aren't affected. Pretty much anything not written in PERL, from what I understand.

IC Stars: This is affecting Tomcat and likely other web servers too.

I'm mostly familiar with Apache, but isn't setting a limit to the size of a request considered standard practice?

If you got web problems I feel for you, son /
I got 99 problems but ASP ain't one.

downstairs: MrEricSir: I'm mostly familiar with Apache, but isn't setting a limit to the size of a request considered standard practice?

As well, isn't it limited by default? And its pretty low. For some applications I've had to increase it in IIS.

Turns out, with all but the latest versions of Apache Tomcat, the maxHttpHeaderSize directive does have a default value, but was ignored.

Fish in a Barrel : Yeah, it's actually easier to make a list of servers that aren't affected. Pretty much anything not written in PERL, from what I understand.

if ($ENV{'CONTENT_LENGTH'} > $config{'MAX_CONTENT_LENGTH'}) {die "Content Length longer than max. Suck it."}

/pseudocode, typed from what I can remember of the perl web libraries

/used to write a ton of web based perl app, many of them are still running even though I haven't supported them for 5 years.

It's threads like this (with you damned ultra nerds discussing advanced programming techniques) that make me wonder if I could really do a BS IT degree.

/thanks for the confidence lowering, poopy heads.

Marine1: It's threads like this (with you damned ultra nerds discussing advanced programming techniques) that make me wonder if I could really do a BS IT degree.

/thanks for the confidence lowering, poopy heads.

Meh. That comes with experience.

Mostly you learn from doing it, having something weird happen after you thought it was working just fine, then obsessing about it for a day or two until you reach a glorious eureeka moment that you can't share with anyone else (because their eyes will just glaze over and/or assess the best possible escape routes away from you). You'll begin to understand what's actually happening in the machine and the cycle continues until you eventually achieve mastery.

That shouldn't lower your confidence. What might lower your confidence is finding an IT job that requires less than 5 - 7 years of experience.

More helpfully: You should call up local businesses and ask to schedule courtesy interviews while you're still in school. Pop that awkward cherry early. It'll put you head and shoulders over potential candidates in the future too.

Marine1: It's threads like this (with you damned ultra nerds discussing advanced programming techniques) that make me wonder if I could really do a BS IT degree.

/thanks for the confidence lowering, poopy heads.

I have a CS degree and I understand fully the dialog in the article and here. What's mind boggling is the fact that someone found this vulnerability.

To hell with Microsoft. I reinstalled Vista last week and though I never use IE, wanted to update it from 7 to 9.

They wanted me to use Windows Update, which decided to stop working when I tried installing SP1. No thanks, I'm not locking my shiat up and restarting 3 times just to get back where I am right now.

Phil McKraken: I have a CS degree and I understand fully the dialog in the article and here. What's mind boggling is the fact that someone found this vulnerability.

It's a common cracking technique (push more data than ever expected, see if something breaks).

Especially since a lot of "Web Developers (TM)", only do bounds checking on the client side.

//

At one point in my career, I was the code review/validation guy. I used to craft evil stuff in perl (mostly using libwww), then webdeveloper toolbar for firefox came out, and some stuff became ridiculously easy.

Sooo, you set that HTML input box to only accept 50 characters? Well let me just remove that with webdeveloper toolbar and see what happens if I stuff 200 characters in there.

Ohh, you have a pull down box, let me use webdeveloper toolbar to convert it to an input box, you ARE checking the values you get on the server side, RIGHT!?

Let's see what happens when I remove the default selection in a radio selection group.

/hates that FARK modifies your post on preview and removes "broken" image links. Then disables the add comment button when you go back a page. No worries, WDT -> Enable Form Fields :P