[18425] in bugtraq
Re: Securax Advisory 12 (Using backspace in HTTP requests)
daemon@ATHENA.MIT.EDU (Philip Stoev)
Thu Jan 4 14:32:28 2001
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <004d01c075d2$f00f2440$0100a8c0@zara>
Date: Thu, 4 Jan 2001 00:17:13 +0200
Reply-To: Philip Stoev <philip@STOEV.ORG>
From: Philip Stoev <philip@STOEV.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> From: "Alex Muntada" <alexm@AC.UPC.ES>
> Sent: Wednesday, January 03, 2001 1:22 PM
> Subject: Re: Securax Advisory 12
>
> Tested Apache 1.3.14 (source compiled httpd) and it still accepts
> control chars in HTTP requests, but it shouldn't as pointed by
> Henrik Nordstrom.
What is more, Apache will accept backspace characters in the username
supplied via HTTP Authentication (I tested Apache 1.3.12 Win32 and
Basic Auth). If a site is requires such authentication, the username
with the backspace characters will make its way to both access_log
and error_log (since it is not a valid one, unless it has been
created by the attacker previously). If the site does not require
such authentication, the username will not be recorded, even if it
has been supplied.
Philip
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
Comment: www stoev org
iQA/AwUBOlOIyFi4DH/L1CReEQLqDQCeJ2GymmJB5O2jmxsQPdbxaL1wlpAAnjoi
A9fGhVvSMh2S1/LWvJVGwZec
=ZMPM
-----END PGP SIGNATURE-----
