Bugtraq mailing list archives
Re: HTTP REQUEST_METHOD flaw
From: pedward () WEBCOM COM (pedward () WEBCOM COM)
Date: Wed, 6 Jan 1999 10:37:50 -0800
The other obvious implication is the REQUEST_METHOD environment variable. Just the possibility of an overflow or someone's ill kept script only recognizing 2 different possible request methods, and causing it to act oddly. --Perry
The problem relates to "allowable" REQUEST_METHODs when a dynamic resource, such as a CGI script is requested. Essentially _any_ (except for HEAD, TRACE and OPTIONS) REQUEST_METHOD can be used - even methods not defined in the HTTP protocol. Consider the following requests which all return the requested resource. Cheers, David Litchfield
-- Perry Harrington Director of System Architecture zelur xuniL () http://www.webcom.com perry.harrington () webcom com Think Blue. /\
Current thread:
- nmap udp scan kills Neware (ex-HDS) X-terminals., (continued)
- nmap udp scan kills Neware (ex-HDS) X-terminals. Andrew V. Kovalev (Jan 11)
- Re: nmap udp scan kills Neware (ex-HDS) X-terminals. Adam Shostack (Jan 12)
- Cisco Security Notice: Cisco IOS Syslog Crash security-alert () cisco com (Jan 11)
- Re: Tripwire mess.. Casper Dik (Jan 05)
- Re: Tripwire mess.. Chris Adams (Jan 05)
- Re: Tripwire mess.. Jon Torrez (Jan 05)
- Administrivia Aleph One (Jan 05)
- HTTP REQUEST_METHOD flaw mnemonix (Jan 06)
- Re: HTTP REQUEST_METHOD flaw Marc Slemko (Jan 06)
- Re: HTTP REQUEST_METHOD flaw Kragen Sitaker (Jan 07)
- Re: HTTP REQUEST_METHOD flaw pedward () WEBCOM COM (Jan 06)
- Re: Tripwire mess.. CyberPsychotic (Jan 07)
- Re: Tripwire mess.. Jon Speer (Jan 08)