Bugtraq mailing list archives
Re: Securax Advisory 12
From: Alex Muntada <alexm () AC UPC ES>
Date: Wed, 3 Jan 2001 12:22:03 +0100
incubus wrote:
When the backspace charachter is sent, after a NULL terminated request, we will get a answer, the page we requested, but our entry in the access_log file is kinda altered. We can overwrite our IP address when someone wantsto cat the logfile to the screen or maybe also to a device (such as: > /dev/lp0),
NUL terminaded request aside, the backspace (and any other control characters) logging in httpd logs had been discussed some time ago, as you can see below --for details, see Bugtraq archives http://www.securityfocus.com/archive/1/11840 mnemonix wrote:
The problem relates to "allowable" REQUEST_METHODs when a dynamic resource, such as a CGI script is requested. Essentially _any_ (except for HEAD, TRACE and OPTIONS) REQUEST_METHOD can be used - even methods not defined in the HTTP protocol. Consider the following requests which all return the requested resource. GET /cgi-bin/environ.cgi HTTP/0.9 Azx5T8uHTRuDL /cgi-bin/environ.cgi HTTP/1.0 Even Control characters are allowed. Consider the following: ^H^H^H^H^H^H^H^H^H lots of these ^H^H /cgi-bin/environ.cgi HTTP/1.1
Sevo Stille wrote:
Of course control chars are and must be allowed - CGI is defined to be transparent towards the application. For a request satisfied by the server, the server would have to (and at any rate apache does) return a 501 method not implemented error, according to the specs, par. 5.1.1.1
Henrik Nordstrom wrote:
Not really. RFC 2068 defines method as a token, which is "1*<any CHAR except CTLs or tspecials>" so the above may be rejected with a "400 Bad Request" reply as it is not valid HTTP syntax. HTTP puts restrictions on wich characters that are allowable in all parts of the protocol except the message body.
So does apply to entire Request-Line and Simple-Request (as depicted in the Securax advisory). Tested Apache 1.3.14 (source compiled httpd) and it still accepts control chars in HTTP requests, but it shouldn't as pointed by Henrik Nordstrom. Just a last comment on kosheen.c: on my tests against apache, it seems to discard anything after NUL byte, so kosheen doesn't work as expected unless NUL is removed: % cat <<EOF | nc www.example.com 80 GET /index.html HTTP/1.0^@^H^H^H^H EOF ....HTML.... % tail -1 access_log | od -c 0000000 w w w . e x a m p l e . c o m 0000020 - - [ 0 3 / J a n / 2 0 0 1 0000040 : 1 1 : 4 5 : 1 4 + 0 1 0 0 ] 0000060 " G E T / i n d e x . h t m 0000100 l H T T P / 1 . 0 " 2 0 0 0000140 4 8 5 9 - - \n % cat <<EOF | nc www.example.com 80 GET /index.html HTTP/1.0^H^H^H^H EOF ....HTML.... % tail -1 access_log | od -c 0000000 w w w . e x a m p l e . c o m 0000020 - - [ 0 3 / J a n / 2 0 0 1 0000040 : 1 1 : 4 5 : 1 4 + 0 1 0 0 ] 0000060 " G E T / i n d e x . h t m 0000100 l H T T P / 1 . 0 \b \b \b \b " 0000140 2 0 0 4 8 5 9 - - \n Best, Alex -- Alex Muntada <alexm () ac upc es> http://www.ac.upc.es/homes/alexm/
Current thread:
- Securax Advisory 12 incubus (Jan 02)
- Re: Securax Advisory 12 Alex Muntada (Jan 03)
- Re: Securax Advisory 12 (Using backspace in HTTP requests) Philip Stoev (Jan 04)
- Using backspace in HTTP requests (Re: Securax Advisory 12) Philip Stoev (Jan 03)
- Re: Securax Advisory 12 Alex Muntada (Jan 03)