httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bob" <...@a1poweruser.com>
Subject RE: [users@httpd] Deny CONNECT & GET http requests
Date Tue, 19 Jun 2007 23:22:35 GMT

-----Original Message-----


On 6/19/07, Bob <bob@a1poweruser.com> wrote:
> The replies to my post came back saying that apache defaults to denying
> CONNECT requests which I was not able to verify.
> That the CONNECT request is some how being spoofed through php  which I
was
> not able to verify.
> My reading of php5 says it accepts all valid methods that apache hands it.
> To me this indicates that apache is not denying CONNECT requests by
default.

The default handler of apache does indeed deny connect requests. But
apache is a modular server that allows modules to take over whatever
processing they want. php chooses to take over all methods (even
invalid methods like SPLATCH or lowercase get -- this has been the
source of security problems in the past).

>  So in apache http-conf around line 340 I added the <LimitExcept GET POST>
> Declarative like this to the default directory definition so it looks like
> this.
>
> <Directory />
>     Options FollowSymLinks
>     AllowOverride None
>     Order allow,deny
>     Allow from all
>     <LimitExcept GET POST>
>        Require valid-user
>     </LimitExcept>
> </Directory>
>
> Now the access log shows this
>
> 61.228.120.228 - - [17/Jun/2007:22:42:49 -0400] "CONNECT 66.196.97.250:25
> HTTP/1.0" 500 602 "-" "-"
>
> And the error.log shows this
>
> [Sun Jun 17 22:42:49 2007] [crit] [client 61.228.120.228] configuration
> error:  couldn't perform authentication. AuthType not set!: /

That's not really an ideal config, since it is returning a server
misconfiguration error rather than a proper 403 forbidden error. But
it doesn't really matter; the robots making these requests don't care.

> As you can see the CONNECT request is now being denied with a 500.
> The CONNECT requests have been stopped from attacking others.

The CONNECT requests where never attacking others in your case. PHP
was treating them exactly like GET requests and serving your default
page. As I've mentioned twice already, the best solution to this is to
limit the methods handled by PHP.

Joshua.

---------------------------------------------------------------------


From: jslive@gmail.com [mailto:jslive@gmail.com]On Behalf Of Joshua Slive
Sent: Tuesday, June 19, 2007 9:15 AM
To: users@httpd.apache.org; bob@a1poweruser.com
Subject: Re: [users@httpd] Deny CONNECT & GET http requests

You are wrong, my original post showed the CONNECT requests having a 200
status code which means apache did service them successfully before I added
the LimitExcept declarative as recommended in the Maximum Apache Security
book. My book says a 500 code is a common error when a client calls a flawed
CGI script.  I have read the php manual concerning selecting individual
methods. I could not find any mention of how to tell php to limit it self to
only using desired methods.  A link to the php manual where it explains how
to restrict php to only allow the use of selected methods would go a long
way to support your view point. Providing a how to fix it post like I did is
far better then a reply spouting apache dogma. Results are what count here.



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message