Strange log in Apache after webdav-like exploit

[Sebastien Millet <milletse () club-internet fr>]

Hello,

Today i had two of these in my access_log :

xx.xx.xxx.xx - - [12/Jul/2004:22:29:32 +0200] "SEARCH
/\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb
1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02
(...)
\xb1\x02\xb1\x02\xb1\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
90\x90\x90\x9 0\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
(...)

So far, it's the classical webdav exploit, but the end is quite
strange :

(...)
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x9
0\x90\x90\x90\ x90\x90\x90\x90\x90\x90\x90\x90\x90\x90me - west British
Columbia</option><option value=\"America/ Whitehorse\"
> Canada/Whitehorse Pacific Time - south Yukon</option><option
> value=\"America/Winnipe
g\" >Canada/Winnipeg Central Time - Manitoba & west
Ontario</option><option value=\"America/Yellow knife\"
> Canada/Yellowknife Mountain Time
(...)
option value=\"America/Guadeloupe\">
Guadeloupe/Guadeloupe</option><HTTP/1.0" 414 250

The end of the logged request contains about 4KB of a recent huge (68k)
served php page.

Apache is 2.0.49, PHP is 4.3.7.

Do you know where this could come from ?

To myself, it looks like a buffer overflow in the logging part.

I wasn't able to reproduce the problem with a custom long URI nor the
webdav exploit consisting of 64k \x90, each time the request is cut at
the URI limit and Apache answers 414.

Thanks.