Bugtraq mailing list archives
Httpd Logging Methods
From: v0rt () DAYROM COM AU (v0rt)
Date: Tue, 24 Aug 1999 10:36:27 +1000
Sorry for the briefness of this email, time refraints prohibit me from fully analysing the situation. Hopefully others will be able to give results on other httpd servers and how they resond to these requests. Recently, while looking into Httpd/CGI security, I noticed that the httpd did not log correct httpd requests sent as hex in clear text in the access_log, as it does when it writes to error.log when a 404 is returned. ie. access_log 192.168.0.4 - - [24/Aug/1999:10:12:09 +1000] "GET /%41 HTTP/1.0" 404 195 error.log [Tue Aug 24 10:12:09 1999] [error] [client 192.168.0.4] File does not exist: /home/v0rt/public_html/A While this in turn is no big security hole, not in the broadest terms, it does however bypass some security means posed by many httpd log analysers, which can detect webbased scans, ie. vunerable cgi scans. Because these log analysers _should_ check the access_log rather than just the error_log for scan attempts (incase vunerable cgi scripts are running) if they do not check for the hex equivilent of the clear text cgi get requests, then the analyst will return null to scan attempts. This post is not an advisory, more of a request for someone with greater resources than mine to test this on a variety of different httpd servers and post the results. Also how httpd respond to requests for hex values which lie in the extended character set, %0A %A0 etc. This post is also aimed at the developers of log analysers in the hope that they will resond and change their code to include hex request values. Currently this has only been tested on Apache/1.3.3 (Unix) v0rt_ xeb [slash] xec http://v0rt.dayrom.com.au
Current thread:
- Internet Auditing Project Elias Levy (Aug 13)
- Re: Internet Auditing Project Jerry Carlin (Aug 13)
- Re: Internet Auditing Project CyberPsychotic (Aug 16)
- Re: Internet Auditing Project Viljo Hakala (Aug 17)
- Stupid bug in W3-msql gregory duchemin (Aug 17)
- Re: Stupid bug in W3-msql David J. Hughes (Aug 19)
- Httpd Logging Methods v0rt (Aug 23)
- <Possible follow-ups>
- Re: Internet Auditing Project David Luyer (Aug 15)
- Re: Internet Auditing Project Peter J. Holzer (Aug 17)
- [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Bill Nottingham (Aug 17)
- Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Michal Zalewski (Jul 03)
- Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Michal Zalewski (Jul 03)
- Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Tymm Twillman (Aug 19)
- Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Michal Zalewski (Jul 03)
- [RHSA-1999:029-01] Denial of service attack in in.telnetd Bill Nottingham (Aug 19)
- Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent() Olaf Kirch (Aug 19)
- Insecure use of file in /tmp by trn Martin Schulze (Aug 19)
- Re: Internet Auditing Project Jerry Carlin (Aug 13)