[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] IPS Evasion with the Apache HTTP Server
- To: H D Moore <fdlist@xxxxxxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] IPS Evasion with the Apache HTTP Server
- From: 3APA3A <3APA3A@xxxxxxxxxxxxxxxx>
- Date: Wed, 20 Jun 2007 16:21:27 +0400
Dear H D Moore,
--Tuesday, June 19, 2007, 11:20:41 PM, you wrote to
full-disclosure@xxxxxxxxxxxxxxxxx:
HDM> $ echo -ne "\r\n\r\n\r\n\r\n\r\n /buggy.php HTTP/1.0\r\n\r\n" | \
HDM> nc webserver 80
According to recommendations of RFC 2616, section 4.1 Web server or
proxy server should ignore \r\n before request for compatibility with
odd clients sending trailing \r\n with POST requests via keep-alive
connections:
In the interest of robustness, servers SHOULD ignore any empty
line(s) received where a Request-Line is expected. In other words, if
the server is reading the protocol stream at the beginning of a
message and receives a CRLF first, it should ignore the CRLF.
$ echo -ne " /buggy.php HTTP/1.0\r\n\r\n" | nc webserver 80
Does the same job. This problem (unsupported request method) was already
reported by Michal Majchrowicz, see
http://securityvulns.com/Qdocument846.html
--
~/ZARAZA http://securityvulns.com/
Электрические шоки очень полезны для формирования характера. (Лем)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/