Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Httpd Logging Methods

From: v0rt () DAYROM COM AU (v0rt)
Date: Tue, 24 Aug 1999 10:36:27 +1000

Sorry for the briefness of this email, time refraints prohibit me from
fully analysing the situation. Hopefully others will be able to give
results on other httpd servers and how they resond to these requests.

Recently, while looking into Httpd/CGI security, I noticed that the
httpd did not log correct httpd requests sent as hex in clear text in
the access_log, as it does when it writes to error.log when a 404 is
returned.

ie.
access_log
192.168.0.4 - - [24/Aug/1999:10:12:09 +1000] "GET /%41 HTTP/1.0" 404 195

error.log
[Tue Aug 24 10:12:09 1999] [error] [client 192.168.0.4] File does not
exist: /home/v0rt/public_html/A

While this in turn is no big security hole, not in the broadest terms,
it does however bypass some security means posed by many httpd log
analysers, which can detect webbased scans, ie. vunerable cgi scans.

Because these log analysers _should_ check the access_log rather than
just the error_log for scan attempts (incase vunerable cgi scripts are
running)
if they do not check for the hex equivilent of the clear text cgi get
requests, then the analyst will return null to scan attempts.

This post is not an advisory, more of a request for someone with greater
resources than mine to test this on a variety of different httpd servers
and post the results. Also how httpd respond to requests for hex values
which lie in the extended character set, %0A %A0 etc.

This post is also aimed at the developers of log analysers in the hope
that they will resond and change their code to include hex request
values.

Currently this has only been tested on Apache/1.3.3 (Unix)

v0rt_

xeb [slash] xec
http://v0rt.dayrom.com.au
Previous By Date Next
Previous By Thread Next

Current thread: