Bugtraq mailing list archives
Re: Hidden requests to Apache
From: Rasmus Bøg Hansen <moffe () amagerkollegiet dk>
Date: Thu, 25 Oct 2001 08:00:51 +0200 (CEST)
On Wed, 24 Oct 2001, smiler wrote:
It´s possible to "cheat" a Apache SysAdministrator and make him think that his server didn´t log a HTTP request or make him think that a request has been made by another Ip address. This "cheating" is only valid when the log is displayed on the screen using common unix utils as cat, tail, grep, etc... This will not work with the kind of sysadmin that edit the logs using vi or even print them to read at night on bed eh eh :-) I am not sure if this can be considered as a bug or as a feature (?) but in any case it will surely lead apache sysadmins into mistake !!
I cannot reproduce this on RedHat Linux 7.0, apache 1.3.19.
----------Technique---------- To make a request and to make it seem like it came from NO IP ADDRESS at all, the request should be made as this : GET / HTTP/1.0 \r\r\n In this case APACHE will print in the log file the carriage return character. So when we try to tail the access_log file it will be shown in the screen as : " 414 3461.251 - - [24/Oct/2001:18:58:18 +0100] "GET / HTTP/1.0
GET / HTTP/1.0 \r\r\n gives this log entry: 194.182.238.30 - - [25/Oct/2001:07:54:01 +0200] "GET / HTTP/1.0 \r\r\n" 200 510 "-" "-"
A normal line would be : 127.0.0.1 - - [24/Oct/2001:19:00:32 +0100] "GET / HTTP/1.0" 200 164 The normal line output will help us to understand that what happens is cat made a carriage return after the HTTP/1.0 and printed the rest of the log over the Ip Address field. We can also make it look like the request came from another Ip address, and this is preferable because like this the SysAdmin will see no apparent strange behaviour in the logfile. Just be carefull with the timestamp !! So the request should be : GET / HTTP/1.0 \r10.0.0.1 - - [24/Oct/2001:19:00:32 +0100] "GET / HTTP/1.0\r\n And the logfile will appear like this : 10.0.0.1 - - [24/Oct/2001:19:00:32 +0100] "GET / HTTP/1.0" 200 164
The above gives this log entry: 194.182.238.3 - - [25/Oct/2001:07:56:41 +0200] "GET / HTTP/1.0 \r10.0.0.1 - - [24/Oct/2001:19:00:32 +0100] "GET / HTTP/1.0\r\n" 200 510 "-" "-" Rasmus -- -- [ Rasmus 'Møffe' Bøg Hansen ] --------------------------------------- I haven't lost my mind; I have backed it up on tape somewhere........ --------------------------------- [ moffe at amagerkollegiet dot dk ] --
Current thread:
- Hidden requests to Apache smiler (Oct 24)
- Re: Hidden requests to Apache Rasmus Bøg Hansen (Oct 25)
- Re: Hidden requests to Apache Bob Niederman (Oct 25)
- Re: Hidden requests to Apache Lorenzo Pulici (Oct 25)
- Re: Hidden requests to Apache Jurjen Oskam (Oct 25)
- Re: Hidden requests to Apache Rasmus Bøg Hansen (Oct 25)