> we've installed the NCSA HTTPD 1.3 on our WWW server (HP9000/720, HP-UX 9.01)
and I've found, that it can be tricked into executing shell commands.
Actually, this bug is similar to the bug in fingerd exploited by the internet
worm. The HTTPD reads a maximum of 8192 characters when accepting a request
from port 80.
This was great to read. Related: Morris also discovered the predictable TCP sequence number bug and described it in his paper in 1985 http://nil.lcs.mit.edu/rtm/papers/117.pdf. Kevin Mitnick describes how he met some Israeli hackers with a working exploit only in only in 1994 (9 years later) in his book "Ghost in the Wires" (chapter 33). I tried to chronicle the events here (including the Jon Postel's RFC that did not specify how the sequence number should be chosen) https://akircanski.github.io/tcp-spoofing
This blog post exposes the badness of SMS-based recovery. I think other recovery options such as Yubikey aren't ideal either, as a Yubikey may simply stop working and you're completely locked out. The specific situation the author of the blog post isn't dramatic - he can't receive SMS - personal decision to avoid roaming charges.
But in all seriousness, if there's an authentication recovery standard, it should serve all people including those who are in seriously difficult circumstances (e.g. homeless or ill). The question then is what should recovery look like in those cases.
To me it looks like good old recovery code on paper is the best solution, as it doesn't depend on ever-changing device ports, or hardware malfunction due to lack of use long-term (such as 10-15 years).
I wonder whether authentication apps nowdays address that aspect and make and I kinda doubt so (i.e. can you print out a QR code with all account information in your typical TOTP app?).
For a set of primitive operations (such as those in Turing machine), how can you be sure that it spans all possible computations? It sounds that's one of the challenges Turing had - so he went at lengths to show that by various "soft arguments", e.g. that it's possible to build a VM (Turing machine that runs other Turing machines IIRC). Later on, it was shown that the Turing machine is equivalent to machines other folks came up with (Goedel's recursive functions, lambda calculus, etc) and a consensus emerged that they are all describing a full set of computations.
https://seclists.org/bugtraq/1995/Feb/109
> we've installed the NCSA HTTPD 1.3 on our WWW server (HP9000/720, HP-UX 9.01) and I've found, that it can be tricked into executing shell commands. Actually, this bug is similar to the bug in fingerd exploited by the internet worm. The HTTPD reads a maximum of 8192 characters when accepting a request from port 80.