httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dean Gaudet <dgau...@arctic.org>
Subject Re: HTTP REQUEST_METHOD flaw (fwd)
Date Thu, 07 Jan 1999 17:44:21 GMT
Of course then this "attack" can be performed in the URL itself... so
what's the point.

Dean

On Thu, 7 Jan 1999, Dean Gaudet wrote:

> We should really disallow requests with bogus characters in the request
> method.
> 
> Dean
> 
> ---------- Forwarded message ----------
> Approved-By: aleph1@UNDERGROUND.ORG
> Date: Wed, 6 Jan 1999 13:16:07 -0000
> From: mnemonix <mnemonix@GLOBALNET.CO.UK>
> Subject: HTTP REQUEST_METHOD flaw
> X-cc:         ntsecurity@iss.net, ntbugtraq@listserv.ntbugtraq.com
> To: BUGTRAQ@NETSPACE.ORG
> 
> There is a "feature" inherent in some web servers, such as Apache 1.3.x or
> MS IIS, that carries mild security implications that could allow web server
> attacks to go unnoticed.
> 
> The problem relates to "allowable" REQUEST_METHODs when a dynamic resource,
> such  as a CGI script is requested. Essentially _any_ (except for HEAD,
> TRACE and OPTIONS) REQUEST_METHOD can be used - even methods not defined in
> the HTTP protocol. Consider the following requests which all return the
> requested resource.
> 
>  GET /cgi-bin/environ.cgi HTTP/0.9
> 
>  Azx5T8uHTRuDL /cgi-bin/environ.cgi HTTP/1.0
> 
> Even Control characters are allowed. Consider the following:
> 
>  ^H^H^H^H^H^H^H^H^H lots of these ^H^H /cgi-bin/environ.cgi HTTP/1.1
> 
> An attacker could issue this request in an attempt to hide their movements.
> When this request is logged in the access log and viewed using cat or more
> the above will appear with the IP address removed.
> 
>  # cat /var/log/httpd/access_log
> 
>  or
> 
>  # more /var/log/httpd/access_log
> 
> reveals
> 
> 10.20.20.1 - - [05/Jan/1999:18:00:00 GMT] "GET / HTTP/1.0" 200 1098
> /cgi-bin/environ.cgi HTTP/1.1" 200 2034
> 10.20.20.2 -- [05/Jan/1999:18:01:00 GMT] "GET /index.html HTTP/0.9" 200 1098
> 
> Using a method similar to this it is possible for an attacker to make it
> appear as if the attack came from another IP address or completely remove
> the whole entry by placing certain control characters in the QUERY_STRING,
> too. This "hiding" works because the control characters are interpreted when
> piped to STDOUT and the ^H being the back space removes, from the screen at
> least, the IP address and date and time stamp. You could use the vi editor
> the view the "real" contents of the access log.
> 
> This was tested on Apache 1.3.3 on RedHat 5.2 and Apache 1.2.7 on RedHat
> 5.0. Also affected is Microsoft's Internet Information Server 2, 3 and 4 but
> in the NT environment this is less of a problem because the log files are
> generally viewd in Notepad and not using the "type" command, which
> incidently will interpret the control characters.
> 
> As I said it's only a mild problem most likely, really, to effect those that
> don't use a text editor to browse log files.
> 
> Cheers,
> David Litchfield
> 
> 


Mime
View raw message