Bugtraq mailing list archives
Re: HTTP REQUEST_METHOD flaw
From: jonz () NETRAIL NET (Jonathan A. Zdziarski)
Date: Thu, 7 Jan 1999 16:00:05 -0500
Perhaps in the server source code there should be a feature to restrict the server to accepting only 'known request methods'. Either that or restricting the length would stop any buffer overflow attacks. On Wed, 6 Jan 1999, Sevo Stille wrote:
mnemonix wrote:There is a "feature" inherent in some web servers, such as Apache 1.3.x or MS IIS, that carries mild security implications that could allow web server attacks to go unnoticed.As a matter of fact, this is no server problem - any server behaving as you describe acts absolutely according to the specs. It is a CGI issue - see below for an explanation.The problem relates to "allowable" REQUEST_METHODs when a dynamic resource, such as a CGI script is requested. Essentially _any_ (except for HEAD, TRACE and OPTIONS) REQUEST_METHOD can be used - even methods not defined in the HTTP protocol.Well, HTTP does not define or restrict a set of allowable methods - it has specifications and definitions for some, but any server or CGI application (which makes it hard to disallow methods on the server, as CGI does not define any channel over which a CGI could proclaim its set of supported methods to the server) can define more and other methods.Consider the following requests which all return the requested resource. GET /cgi-bin/environ.cgi HTTP/0.9 Azx5T8uHTRuDL /cgi-bin/environ.cgi HTTP/1.0 Even Control characters are allowed. Consider the following: ^H^H^H^H^H^H^H^H^H lots of these ^H^H /cgi-bin/environ.cgi HTTP/1.1Of course control chars are and must be allowed - CGI is defined to be transparent towards the application. For a request satisfied by the server, the server would have to (and at any rate apache does) return a 501 method not implemented error, according to the specs, par. 5.1.1. However CGI scripts are not satisfied by the server - the server hands off the request to them, and they have to handle the requested method, or return an error 405 or 501. A CGI lib defaulting to handling any unknown request as GET is polite, but it could be considered broken.As I said it's only a mild problem most likely, really, to effect those that don't use a text editor to browse log files.Quite so. Nonetheless it would be desirable if the common CGI libraries would perform a somewhat more strict method check. The paranoid may want to pipe their log through a filter which replaces control chars with some associated symbolic value. Sevo -- Sevo Stille sevo () inm de
Thank you, Jonathan A. Zdziarski Sr. Systems Administrator Netrail, inc. 888.NET.RAIL x240
Current thread:
- Re: HTTP REQUEST_METHOD flaw Sevo Stille (Jan 06)
- Re: HTTP REQUEST_METHOD flaw Christopher Masto (Jan 07)
- Re: HTTP REQUEST_METHOD flaw Jonathan A. Zdziarski (Jan 07)
- Re: HTTP REQUEST_METHOD flaw Kenneth Albanowski (Jan 08)
- <Possible follow-ups>
- Re: HTTP REQUEST_METHOD flaw Henrik Nordstrom (Jan 07)
- Re: HTTP REQUEST_METHOD flaw Ben Laurie (Jan 08)