Re: HTTP REQUEST_METHOD flaw

[jonz () NETRAIL NET (Jonathan A. Zdziarski)]

Perhaps in the server source code there should be a feature to restrict
the server to accepting only 'known request methods'.  Either that or
restricting the length would stop any buffer overflow attacks.


On Wed, 6
Jan 1999, Sevo Stille wrote:

> mnemonix wrote:
> > There is a "feature" inherent in some web servers, such as Apache 1.3.x or
> > MS IIS, that carries mild security implications that could allow web server
> > attacks to go unnoticed.
>
> As a matter of fact, this is no server problem - any server behaving as
> you describe acts absolutely according to the specs. It is a CGI issue -
> see below for an explanation.
>
> > The problem relates to "allowable" REQUEST_METHODs when a dynamic resource,
> > such  as a CGI script is requested. Essentially _any_ (except for HEAD,
> > TRACE and OPTIONS) REQUEST_METHOD can be used - even methods not defined in
> > the HTTP protocol.
>
> Well, HTTP does not define or restrict a set of allowable methods - it
> has specifications and definitions for some, but any server or CGI
> application (which makes it hard to disallow methods on the server, as
> CGI does not define any channel over which a CGI could proclaim its set
> of supported methods to the server) can define more and other methods.
>
> > Consider the following requests which all return the
> > requested resource.
> >
> >  GET /cgi-bin/environ.cgi HTTP/0.9
> >
> >  Azx5T8uHTRuDL /cgi-bin/environ.cgi HTTP/1.0
> >
> > Even Control characters are allowed. Consider the following:
> >
> >  ^H^H^H^H^H^H^H^H^H lots of these ^H^H /cgi-bin/environ.cgi HTTP/1.1
>
> Of course control chars are and must be allowed - CGI is defined to be
> transparent towards the application. For a request satisfied by the
> server, the server would have to (and at any rate apache does) return a
> 501 method not implemented error, according to the specs, par. 5.1.1.
> However CGI scripts are not satisfied by the server - the server hands
> off the request to them, and they have to handle the requested method,
> or return an error 405 or 501. A CGI lib defaulting to handling any
> unknown request as GET is polite, but it could be considered broken.
>
> > As I said it's only a mild problem most likely, really, to effect those that
> > don't use a text editor to browse log files.
>
> Quite so. Nonetheless it would be desirable if the common CGI libraries
> would perform a somewhat more strict method check. The paranoid may want
> to pipe their log through a filter which replaces control chars with
> some associated symbolic value.
>
> Sevo
>
>
> --
> Sevo Stille
> sevo () inm de

Thank you,

Jonathan A. Zdziarski
Sr. Systems Administrator
Netrail, inc.
888.NET.RAIL x240