Return-Path: Delivered-To: apmail-httpd-users-archive@www.apache.org Received: (qmail 83420 invoked from network); 5 Oct 2006 18:57:19 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 5 Oct 2006 18:57:19 -0000 Received: (qmail 61152 invoked by uid 500); 5 Oct 2006 18:57:09 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 61139 invoked by uid 500); 5 Oct 2006 18:57:09 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 61120 invoked by uid 99); 5 Oct 2006 18:57:09 -0000 Received: from idunn.apache.osuosl.org (HELO idunn.apache.osuosl.org) (140.211.166.84) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 05 Oct 2006 11:57:09 -0700 Authentication-Results: idunn.apache.osuosl.org header.from=jslive@gmail.com; domainkeys=good X-ASF-Spam-Status: No, hits=1.6 required=5.0 tests=DNS_FROM_RFC_ABUSE,HTTP_EXCESSIVE_ESCAPES DomainKey-Status: good X-DomainKeys: Ecelerity dk_validate implementing draft-delany-domainkeys-base-01 Received: from [66.249.82.238] ([66.249.82.238:53679] helo=wx-out-0506.google.com) by idunn.apache.osuosl.org (ecelerity 2.1.1.8 r(12930)) with ESMTP id F9/C7-04543-08555254 for ; Thu, 05 Oct 2006 11:57:05 -0700 Received: by wx-out-0506.google.com with SMTP id s19so629262wxc for ; Thu, 05 Oct 2006 11:57:02 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:sender:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=bUYNcPeMaM1O9/rPz5oXnnGTNzce2UTwtfDFWI+BEe5LACUy3qz3JAS+l+Mh0wxflDf2Xuf8PM+x352OBoOhuFzTp2ImNYADeqh/n/r0ei+lJ5MRGFuOTeIb/bpMU6dwSBWHaN2K3WXBx2fojzmW8LYFcyQEMM2MS7ne61cJz6M= Received: by 10.70.29.14 with SMTP id c14mr3699256wxc; Thu, 05 Oct 2006 11:57:01 -0700 (PDT) Received: by 10.70.45.4 with HTTP; Thu, 5 Oct 2006 11:57:01 -0700 (PDT) Message-ID: Date: Thu, 5 Oct 2006 14:57:01 -0400 From: "Joshua Slive" Sender: jslive@gmail.com To: users@httpd.apache.org, ed@alcpress.com In-Reply-To: <45253527.9090309@alcpress.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <45253527.9090309@alcpress.com> X-Google-Sender-Auth: 95fde572ed599441 Subject: Re: [users@httpd] Apache/PHP and obfuscated URLs X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N On 10/5/06, Ed Sawicki wrote: > I see that Apache 2.0 does not convert an obfuscated URL > into its canonical form. For example, with this URL: > > http://www.example.com/url/hack > > I see the Web page and the access log shows this: > > 10-05 07:41 "GET /url/hack HTTP/1.1" 200 > > > With this obfuscated URL: > > http://www.example.com/%75%72%6C%2F%68%61%63%6B > > I get a 404 error page and the access log shows this: > > 10-05 07:41 "GET /%75%72%6C%2F%68%61%63%6B HTTP/1.1" 404 > > However, the error log does not log this 404 error with > the default LogLevel. > > Two questions: > > 1. Why doesn't Apache log the error when other 404 errors are > logged ? > > 2. I'm pleased that Apache doesn't convert obfuscated URLs > into canonical form, but I'm wondering why attackers have > success using obfuscated URLs when attacking Apache sites > where the Web apps are written in PHP. I do not know or use > PHP. That URL is actually a special case because it contains an encoded slash, which is considered an especially dangerous item. See the AllowEncodedSlash directive. It should get logged anyway. If you can show that it isn't getting to the error log in 2.2, then you should report it as a bug. Joshua. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org