Re: HTTP REQUEST_METHOD flaw

[sevo () inm de (Sevo Stille)]

This is a cryptographically signed message in MIME format.

--------------ms4946BD6328BDA5D1ADA9ECFE
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

mnemonix wrote:
> There is a "feature" inherent in some web servers, such as Apache 1.3.x or
> MS IIS, that carries mild security implications that could allow web server
> attacks to go unnoticed.

As a matter of fact, this is no server problem - any server behaving as
you describe acts absolutely according to the specs. It is a CGI issue -
see below for an explanation.

> The problem relates to "allowable" REQUEST_METHODs when a dynamic resource,
> such  as a CGI script is requested. Essentially _any_ (except for HEAD,
> TRACE and OPTIONS) REQUEST_METHOD can be used - even methods not defined in
> the HTTP protocol.

Well, HTTP does not define or restrict a set of allowable methods - it
has specifications and definitions for some, but any server or CGI
application (which makes it hard to disallow methods on the server, as
CGI does not define any channel over which a CGI could proclaim its set
of supported methods to the server) can define more and other methods.

> Consider the following requests which all return the
> requested resource.
>
>  GET /cgi-bin/environ.cgi HTTP/0.9
>
>  Azx5T8uHTRuDL /cgi-bin/environ.cgi HTTP/1.0
>
> Even Control characters are allowed. Consider the following:
>
>  ^H^H^H^H^H^H^H^H^H lots of these ^H^H /cgi-bin/environ.cgi HTTP/1.1

Of course control chars are and must be allowed - CGI is defined to be
transparent towards the application. For a request satisfied by the
server, the server would have to (and at any rate apache does) return a
501 method not implemented error, according to the specs, par. 5.1.1.
However CGI scripts are not satisfied by the server - the server hands
off the request to them, and they have to handle the requested method,
or return an error 405 or 501. A CGI lib defaulting to handling any
unknown request as GET is polite, but it could be considered broken.

> As I said it's only a mild problem most likely, really, to effect those that
> don't use a text editor to browse log files.

Quite so. Nonetheless it would be desirable if the common CGI libraries
would perform a somewhat more strict method check. The paranoid may want
to pipe their log through a filter which replaces control chars with
some associated symbolic value.

Sevo


--
Sevo Stille
sevo () inm de
--------------ms4946BD6328BDA5D1ADA9ECFE
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIIIWgYJKoZIhvcNAQcCoIIISzCCCEcCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC
BjAwggLgMIICSaADAgECAgIp7zANBgkqhkiG9w0BAQQFADCByDELMAkGA1UEBhMCWkExFTAT
BgNVBAgTDFdlc3Rlcm4gQ2FwZTEUMBIGA1UEBxMLRHVyYmFudmlsbGUxGjAYBgNVBAoTEVRo
YXd0ZSBDb25zdWx0aW5nMTMwMQYDVQQLEypDZXJ0aWZpY2F0ZSBTZXJ2aWNlcyBSU0EgSUsg
MTk5OC4yLjI1IDg6MzUxOzA5BgNVBAMTMlRoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBSU0Eg
SXNzdWluZyBLZXkgMTk5OC4yLjI1MB4XDTk4MDYyNDEzMjEzNVoXDTk5MDYyNDEzMjEzNVow
STErMCkGA1UEAxYiVGhhd3RlIEZyZWVtYWlsIE1lbWJlciBzZXZvQGlubS5kZTEaMBgGCSqG
SIb3DQEJARYLc2V2b0Bpbm0uZGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMWSnTfS
Qnb9NPAeWZ06/D994wAarWh65MNSIo2qFp4H1b+Z9/Lw/w1v7NBOH/YyLAgy8VNmi+rv0D7H
Fj9tcjvTqEXiF/XwgG4etVi1lg24ZFc1zAza5e3DDf3RFqX51molWUdVg0qFxt8wWrbHRFgz
Oy1ij5vHkv8JrNUersMBAgMBAAGjVzBVMBQGCWCGSAGG+EIBAQEB/wQEAwIFoDAOBgNVHQ8B
Af8EBAMCBaAwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWoBTtNBduDiteS4eYkbg3p5i/kh+s
cjANBgkqhkiG9w0BAQQFAAOBgQBhznUvsuhIADgJQfNJFuU1J2HJivFnK4+oeRyy0myInwab
WRvkKyl42EKlz4aO6+jywke8LtqRDarCPjJaFDMXf10ZptZPp7LtKUjt/UznC1PO3WI+N2bE
Lh1xMhs3YhvZSaXq/dA12sZ2UFQKRJ60n1fb8RjJKkOkoy6oJQ2ChjCCA0gwggKxoAMCAQIC
AQgwDQYJKoZIhvcNAQEEBQAwgdExCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENh
cGUxEjAQBgNVBAcTCUNhcGUgVG93bjEaMBgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAm
BgNVBAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0
ZSBQZXJzb25hbCBGcmVlbWFpbCBDQTErMCkGCSqGSIb3DQEJARYccGVyc29uYWwtZnJlZW1h
aWxAdGhhd3RlLmNvbTAeFw05ODAyMjUwODM1MzNaFw0wMDAyMjUwODM1MzNaMIHIMQswCQYD
VQQGEwJaQTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRQwEgYDVQQHEwtEdXJiYW52aWxsZTEa
MBgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcxMzAxBgNVBAsTKkNlcnRpZmljYXRlIFNlcnZp
Y2VzIFJTQSBJSyAxOTk4LjIuMjUgODozNTE7MDkGA1UEAxMyVGhhd3RlIFBlcnNvbmFsIEZy
ZWVtYWlsIFJTQSBJc3N1aW5nIEtleSAxOTk4LjIuMjUwgZ8wDQYJKoZIhvcNAQEBBQADgY0A
MIGJAoGBAMcxw8QbmSNy0lGFlUzjWZLk6GyBtfQbXwnmxK2zRG+qONdX5LDFy7p0rkxhIyR2
BvjZXQ2KKLK0K+0Nu1Ik9LfFSaeDY/wKBLDvgSj35pHGTZfuknYmYshjN3Y8sZIP3K1SBopx
xTcxaobbvQhpKFn87cd9JmfdTd7TxQL+d7bhAgMBAAGjNzA1MBIGA1UdEwEB/wQIMAYBAf8C
AQAwHwYDVR0jBBgwFqAUcknCczTGVfQLdnKBfnf0h+fGsg4wDQYJKoZIhvcNAQEEBQADgYEA
Qurti2F+odRcUqk8vZ6ceegJixKBrY8dWkbt8SUmW8iu/XohFs2gHjuXM4P7TjcqKJemSPUo
GAIkfIB7U1C1+2+a/G2qXCZFqC82IljTGwIDH+6UOfD+NFqISxs9jPPXftOfcFt29tjE4rY8
JJ0JJYxZsdSL8/wEgg6eKYZsxf8xggHyMIIB7gIBATCBzzCByDELMAkGA1UEBhMCWkExFTAT
BgNVBAgTDFdlc3Rlcm4gQ2FwZTEUMBIGA1UEBxMLRHVyYmFudmlsbGUxGjAYBgNVBAoTEVRo
YXd0ZSBDb25zdWx0aW5nMTMwMQYDVQQLEypDZXJ0aWZpY2F0ZSBTZXJ2aWNlcyBSU0EgSUsg
MTk5OC4yLjI1IDg6MzUxOzA5BgNVBAMTMlRoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBSU0Eg
SXNzdWluZyBLZXkgMTk5OC4yLjI1AgIp7zAJBgUrDgMCGgUAoHowGAYJKoZIhvcNAQkDMQsG
CSqGSIb3DQEHATAbBgkqhkiG9w0BCQ8xDjAMMAoGCCqGSIb3DQMHMBwGCSqGSIb3DQEJBTEP
Fw05OTAxMDYyMDMwNDNaMCMGCSqGSIb3DQEJBDEWBBRbgjNgGA9IHUS9XzEs8eI3u4GfhDAN
BgkqhkiG9w0BAQEFAASBgGRypFNxhJDHmxvSjpOiX6ExJjm5bF34D9h5ZrMs10+NTMhuSXcw
0Zs/goZoM3kXBpMAPvJldw9XwgfFttEVehFEn54yEcXQ6KgH/CKfOLZfp8Skk7+W3ANxN6Rq
lbCr7UIOI33uNSRXV1UhUG7G9JlYj0BTZ5/UG6diLHdbwhwn
--------------ms4946BD6328BDA5D1ADA9ECFE--