Bugtraq mailing list archives

Re: Hidden requests to Apache

From: Jurjen Oskam <jurjen () quadpro stupendous org>
Date: Thu, 25 Oct 2001 09:28:56 +0200

On Wed, Oct 24, 2001 at 09:09:59PM +0100, smiler wrote:

Don´t know if this has been brought before.
It´s possible to "cheat" a Apache SysAdministrator and make him think that
his server didn´t log a HTTP request or make him think that a request has
been made by another Ip address.


The insertion of control characters that get recorded in the log file is
documented, and not at all buried deep in the documentation:


http://httpd.apache.org/docs/logs.html

"In addition, log files may contain information supplied directly by the
client, without escaping. Therefore, it is possible for malicious clients
to insert control-characters in the log files, so care must be taken in
dealing with raw logs."




-- 
      Jurjen Oskam * http://www.stupendous.org/ for PGP key * Q265230
    9:19am  up 22:42,  1 user,  load average: 0.00, 0.00, 0.00

Current thread:

Hidden requests to Apache smiler (Oct 24)
- Re: Hidden requests to Apache Rasmus Bøg Hansen (Oct 25)
  - Re: Hidden requests to Apache Bob Niederman (Oct 25)
- Re: Hidden requests to Apache Lorenzo Pulici (Oct 25)
- Re: Hidden requests to Apache Jurjen Oskam (Oct 25)