Bugtraq mailing list archives
Re: Hidden requests to Apache
From: Jurjen Oskam <jurjen () quadpro stupendous org>
Date: Thu, 25 Oct 2001 09:28:56 +0200
On Wed, Oct 24, 2001 at 09:09:59PM +0100, smiler wrote:
Don´t know if this has been brought before. It´s possible to "cheat" a Apache SysAdministrator and make him think that his server didn´t log a HTTP request or make him think that a request has been made by another Ip address.
The insertion of control characters that get recorded in the log file is documented, and not at all buried deep in the documentation: http://httpd.apache.org/docs/logs.html "In addition, log files may contain information supplied directly by the client, without escaping. Therefore, it is possible for malicious clients to insert control-characters in the log files, so care must be taken in dealing with raw logs." -- Jurjen Oskam * http://www.stupendous.org/ for PGP key * Q265230 9:19am up 22:42, 1 user, load average: 0.00, 0.00, 0.00
Current thread:
- Hidden requests to Apache smiler (Oct 24)
- Re: Hidden requests to Apache Rasmus Bøg Hansen (Oct 25)
- Re: Hidden requests to Apache Bob Niederman (Oct 25)
- Re: Hidden requests to Apache Lorenzo Pulici (Oct 25)
- Re: Hidden requests to Apache Jurjen Oskam (Oct 25)
- Re: Hidden requests to Apache Rasmus Bøg Hansen (Oct 25)