Security Incidents mailing list archives

Re: Reallyl fouled up scans from linux15.ebar.dtu.dk

From: Daniel Martin <dtmartin24 () home com>
Date: 23 May 2001 10:13:09 -0400

"Joshua J. Kugler" <isd () as uaf edu> writes:

A lot of the requests are good, it looks like he was trying to traverse the 
tree.  Every now and then, there are requests of the form:

/~EgggNoggg/Testing/?D=A

Is the ?D=A testing for some hole?


No, it's just following a link that Apache's standard directory list
generates - if you go to http://www.as.uaf.edu/~EgggNoggg/Testing/
and follow one of the "Name", "Size" or other column headings' links,
you'll get a URL that looks like that.

Here are some other odd ones
130.225.77.30 - - [11/May/2001:11:33:06 -0800] 
"GET/~havolina/%20%20%20%20%20%20%20http://www.cicv.fr/creation_artistique/online/orlan/index.html 
HTTP/1.0" 404 386 "-" "Mozilla 4.0 (compatible; HttpTool/0.1)"


Nothing odd here except that the referring page -
http://www.as.uaf.edu/~havolina/links.html - has a bad link.  Way to
go WYSIWYG editors...

The other URLs you cite are all Apache-generated directory sort links.

And a bit of searching solves the question of where the long recursive
URL seems to come from.  If you go to http://www.as.uaf.edu/sic/ and
_don't_ have a password for the site, you get a page that, among other
things, includes this down at the bottom:
<A href="stugov/">About ASUAF</A> |

Now, following that link will attempt to access
http://www.as.uaf.edu/sic/stugov/ - again, without a password you get
the same "please give us a password" page.  And again, down at the
bottom you have the HTML fragment:
<A href="stugov/">About ASUAF</A>
Which when followed will attempt to access
http://www.as.uaf.edu/sic/stugov/stugov/ and so forth.

There are at least two ways I can see of avoiding this.  One is to
have the links at the bottom of the page all start with /'s - so that
the HTML fragment above becomes
<A href="/stugov/">About ASUAF</A>
Another is to include a BASE tag in the "please enter your password"
page, for example:
<BASE href="http://www.as.uaf.edu/sic";>

I will note that another way that happens to work in this case is to
leave off the trailing slash from "stugov", but that feels a bit too
hackish.  (I've always been touchy about leaving that trailing slash
on there; sure, Apache and IIS always issue redirects from
http://somewhere/something/subdir to
http://somewhere/something/subdir/ but not every server necessarily
behaves that way - blame my early experience with OSU's VMS-based
server)

Current thread:

Reallyl fouled up scans from linux15.ebar.dtu.dk Joshua J. Kugler (May 22)
- Re: Reallyl fouled up scans from linux15.ebar.dtu.dk Daniel Martin (May 23)
- RE: Reallyl fouled up scans from linux15.ebar.dtu.dk Daniel CHIRITA (May 23)