[8971] in bugtraq
Re: HTTP REQUEST_METHOD flaw
daemon@ATHENA.MIT.EDU (pedward@WEBCOM.COM)
Thu Jan 7 12:44:55 1999
Date: Wed, 6 Jan 1999 10:37:50 -0800
Reply-To: pedward@WEBCOM.COM
From: pedward@WEBCOM.COM
X-To: mnemonix@GLOBALNET.CO.UK
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <003b01be3976$b983cf60$216610ac@mercury> from "mnemonix" at Jan
6, 99 01:16:07 pm
The other obvious implication is the REQUEST_METHOD environment variable.
Just the possibility of an overflow or someone's ill kept script only recognizing
2 different possible request methods, and causing it to act oddly.
--Perry
>
> The problem relates to "allowable" REQUEST_METHODs when a dynamic resource,
> such as a CGI script is requested. Essentially _any_ (except for HEAD,
> TRACE and OPTIONS) REQUEST_METHOD can be used - even methods not defined in
> the HTTP protocol. Consider the following requests which all return the
> requested resource.
>
>
> Cheers,
> David Litchfield
>
--
Perry Harrington Director of System Architecture zelur xuniL ()
http://www.webcom.com perry.harrington@webcom.com Think Blue. /\