httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 51603] New: Apache accepts completely bogus HTTP requests (possible security hole)
Date Tue, 02 Aug 2011 20:34:11 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=51603

             Bug #: 51603
           Summary: Apache accepts completely bogus HTTP requests
                    (possible security hole)
           Product: Apache httpd-2
           Version: 2.2.19
          Platform: PC
            Status: NEW
          Severity: major
          Priority: P2
         Component: Core
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: mikael@lyngvig.org
    Classification: Unclassified


Here are access.log entries for strange machines (worm infested machines?) that
hammer on my Apache server with all sorts of completely bogus HTTP requests
that are ACCEPTED by Apache.  Apache apparently sends something back to the
remote end and I'd really like to know what data it is sending across the wire:

190.3.214.212 - - [02/Aug/2011:05:48:09 +0200]
"F6)\xa1\xa8\x91\xb5z\x15\xb3\xfa\x19\xe0R\x16\xccIG_\x012\x80\x162\xec\xf5C1\xa7"
200 847
93.166.90.65 - - [02/Aug/2011:01:23:42 +0200]
"\xc1D*\xe5/$gcin\x8a\x1f-I\x16\xf5\xf7\xa2\x97\xb8\x16B\xc7\x95\xae\x11\x99W\x80z\xb8\xa0\x03{\x87\x1e\x19\xe5\x02\x92\xb9\x84\x84"
200 847
92.40.253.152 - - [02/Aug/2011:00:33:12 +0200]
"\x12`\xf1J\xc7\xb0c\x149\b\x0e\xdb\xc7\xde\xac" 200 847
213.125.79.2 - - [01/Aug/2011:17:32:04 +0200]
"\xab\xf4+r\xd8\x8f6\xf2\x82\xba\x16\x1a\x8f\x1d\x037\xd7lu\x87k\x90|\x1ax\xec\xdf\xc9?\x8c\xfbjX\x96\xfe\xbe\xc2l\xf3J\xda\xd2\x87!\x94\xb1\x1c\xf2\x02p\x02\xab-\xc1\xe4`\xf7\xde"
200 847
212.183.140.13 - - [01/Aug/2011:18:25:45 +0200]
"\x9a\\(|p\xb0\x9aoF\xa6]u\xaf\xb8\x84\x0e\xa9'_\xd1\xb2\xa1\x9aU\x17K\x83\xe2\xb6\x06\xfe4\x14JO\xf8\xa2\xc4\xbcBT\xb9\x93\xb9\xcf\xea\xc9\xd5"
200 847
213.125.79.2 - - [01/Aug/2011:18:46:40 +0200] "\bU?\xc0\x1ap\xce\x82_" 200 847

As far as I know, which is rather little in this particular case, Apache should
return an error whenever it encounters a malformed HTTP request.


Sincerely,
Mikael Lyngvig

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message