Bugtraq mailing list archives
Re: Securax Advisory 12 (Using backspace in HTTP requests)
From: Philip Stoev <philip () STOEV ORG>
Date: Thu, 4 Jan 2001 00:17:13 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
From: "Alex Muntada" <alexm () AC UPC ES> Sent: Wednesday, January 03, 2001 1:22 PM Subject: Re: Securax Advisory 12
Tested Apache 1.3.14 (source compiled httpd) and it still accepts control chars in HTTP requests, but it shouldn't as pointed by Henrik Nordstrom.
What is more, Apache will accept backspace characters in the username supplied via HTTP Authentication (I tested Apache 1.3.12 Win32 and Basic Auth). If a site is requires such authentication, the username with the backspace characters will make its way to both access_log and error_log (since it is not a valid one, unless it has been created by the attacker previously). If the site does not require such authentication, the username will not be recorded, even if it has been supplied. Philip -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> Comment: www stoev org iQA/AwUBOlOIyFi4DH/L1CReEQLqDQCeJ2GymmJB5O2jmxsQPdbxaL1wlpAAnjoi A9fGhVvSMh2S1/LWvJVGwZec =ZMPM -----END PGP SIGNATURE-----
Current thread:
- Securax Advisory 12 incubus (Jan 02)
- Re: Securax Advisory 12 Alex Muntada (Jan 03)
- Re: Securax Advisory 12 (Using backspace in HTTP requests) Philip Stoev (Jan 04)
- Using backspace in HTTP requests (Re: Securax Advisory 12) Philip Stoev (Jan 03)
- Re: Securax Advisory 12 Alex Muntada (Jan 03)