[8971] in bugtraq

home help back first fref pref prev next nref lref last post

Re: HTTP REQUEST_METHOD flaw

daemon@ATHENA.MIT.EDU (pedward@WEBCOM.COM)
Thu Jan 7 12:44:55 1999

Date: 	Wed, 6 Jan 1999 10:37:50 -0800
Reply-To: pedward@WEBCOM.COM
From: pedward@WEBCOM.COM
X-To:         mnemonix@GLOBALNET.CO.UK
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To:  <003b01be3976$b983cf60$216610ac@mercury> from "mnemonix" at Jan
              6, 99 01:16:07 pm

The other obvious implication is the REQUEST_METHOD environment variable.

Just the possibility of an overflow or someone's ill kept script only recognizing
2 different possible request methods, and causing it to act oddly.

--Perry

>
> The problem relates to "allowable" REQUEST_METHODs when a dynamic resource,
> such  as a CGI script is requested. Essentially _any_ (except for HEAD,
> TRACE and OPTIONS) REQUEST_METHOD can be used - even methods not defined in
> the HTTP protocol. Consider the following requests which all return the
> requested resource.
>
>
> Cheers,
> David Litchfield
>


--
Perry Harrington   Director of System Architecture  zelur xuniL  ()
http://www.webcom.com  perry.harrington@webcom.com  Think Blue.  /\

home help back first fref pref prev next nref lref last post