Using backspace in HTTP requests (Re: Securax Advisory 12)

[Philip Stoev <philip () STOEV ORG>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

As people noted in the past, this seems only applicable to server
administrators that use grep/tail/less/more/cat, etc. on their log
files. Obviously, they are not many.

Hovever, this issue becomes somewhat of problem if this log file is
ran through a log analysis tool that preserves the backspace
characters and other garbage so that they appear in its output
reports. And there are people that will view this output using the
above-mentioned tools, even though they will not view the logs
themselves this way. An attacker with knowledge of the end output may
construct malformed HTTP requests that target its layout. I know at
least one log analysis tool that seems vulnerable such a scenario.

Philip
www stoev org


- ----- Original Message -----
From: "incubus" <incubus () SECURAX ORG>
To: <BUGTRAQ () SECURITYFOCUS COM>
Sent: Monday, January 01, 2001 4:51 PM
Subject: Securax Advisory 12


> Topic:          Remote hiding from access_log and error_log
> Announced:      2000-12-28
> Affects:        Logfile auditing with tools that print the contents
> of the
                file to the screen.

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
Comment: www stoev org

iQA/AwUBOlN3OVi4DH/L1CReEQJrDwCcC6NTBE12gRkaxWCiV20M7ai4nrcAoI6G
RWY5V4Clvdbecehd1fjkiXzF
=/xsA
-----END PGP SIGNATURE-----