This is a cryptographically signed message in MIME format. --------------ms4946BD6328BDA5D1ADA9ECFE Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit mnemonix wrote: > > There is a "feature" inherent in some web servers, such as Apache 1.3.x or > MS IIS, that carries mild security implications that could allow web server > attacks to go unnoticed. As a matter of fact, this is no server problem - any server behaving as you describe acts absolutely according to the specs. It is a CGI issue - see below for an explanation. > The problem relates to "allowable" REQUEST_METHODs when a dynamic resource, > such as a CGI script is requested. Essentially _any_ (except for HEAD, > TRACE and OPTIONS) REQUEST_METHOD can be used - even methods not defined in > the HTTP protocol. Well, HTTP does not define or restrict a set of allowable methods - it has specifications and definitions for some, but any server or CGI application (which makes it hard to disallow methods on the server, as CGI does not define any channel over which a CGI could proclaim its set of supported methods to the server) can define more and other methods. > Consider the following requests which all return the > requested resource. > > GET /cgi-bin/environ.cgi HTTP/0.9 > > Azx5T8uHTRuDL /cgi-bin/environ.cgi HTTP/1.0 > > Even Control characters are allowed. Consider the following: > > ^H^H^H^H^H^H^H^H^H lots of these ^H^H /cgi-bin/environ.cgi HTTP/1.1 > Of course control chars are and must be allowed - CGI is defined to be transparent towards the application. For a request satisfied by the server, the server would have to (and at any rate apache does) return a 501 method not implemented error, according to the specs, par. 5.1.1. However CGI scripts are not satisfied by the server - the server hands off the request to them, and they have to handle the requested method, or return an error 405 or 501. A CGI lib defaulting to handling any unknown request as GET is polite, but it could be considered broken. > As I said it's only a mild problem most likely, really, to effect those that > don't use a text editor to browse log files. Quite so. Nonetheless it would be desirable if the common CGI libraries would perform a somewhat more strict method check. The paranoid may want to pipe their log through a filter which replaces control chars with some associated symbolic value. Sevo -- Sevo Stille sevoat_private --------------ms4946BD6328BDA5D1ADA9ECFE Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIIIWgYJKoZIhvcNAQcCoIIISzCCCEcCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC BjAwggLgMIICSaADAgECAgIp7zANBgkqhkiG9w0BAQQFADCByDELMAkGA1UEBhMCWkExFTAT BgNVBAgTDFdlc3Rlcm4gQ2FwZTEUMBIGA1UEBxMLRHVyYmFudmlsbGUxGjAYBgNVBAoTEVRo YXd0ZSBDb25zdWx0aW5nMTMwMQYDVQQLEypDZXJ0aWZpY2F0ZSBTZXJ2aWNlcyBSU0EgSUsg MTk5OC4yLjI1IDg6MzUxOzA5BgNVBAMTMlRoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBSU0Eg SXNzdWluZyBLZXkgMTk5OC4yLjI1MB4XDTk4MDYyNDEzMjEzNVoXDTk5MDYyNDEzMjEzNVow STErMCkGA1UEAxYiVGhhd3RlIEZyZWVtYWlsIE1lbWJlciBzZXZvQGlubS5kZTEaMBgGCSqG SIb3DQEJARYLc2V2b0Bpbm0uZGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMWSnTfS Qnb9NPAeWZ06/D994wAarWh65MNSIo2qFp4H1b+Z9/Lw/w1v7NBOH/YyLAgy8VNmi+rv0D7H Fj9tcjvTqEXiF/XwgG4etVi1lg24ZFc1zAza5e3DDf3RFqX51molWUdVg0qFxt8wWrbHRFgz Oy1ij5vHkv8JrNUersMBAgMBAAGjVzBVMBQGCWCGSAGG+EIBAQEB/wQEAwIFoDAOBgNVHQ8B Af8EBAMCBaAwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWoBTtNBduDiteS4eYkbg3p5i/kh+s cjANBgkqhkiG9w0BAQQFAAOBgQBhznUvsuhIADgJQfNJFuU1J2HJivFnK4+oeRyy0myInwab WRvkKyl42EKlz4aO6+jywke8LtqRDarCPjJaFDMXf10ZptZPp7LtKUjt/UznC1PO3WI+N2bE Lh1xMhs3YhvZSaXq/dA12sZ2UFQKRJ60n1fb8RjJKkOkoy6oJQ2ChjCCA0gwggKxoAMCAQIC AQgwDQYJKoZIhvcNAQEEBQAwgdExCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENh cGUxEjAQBgNVBAcTCUNhcGUgVG93bjEaMBgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAm BgNVBAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0 ZSBQZXJzb25hbCBGcmVlbWFpbCBDQTErMCkGCSqGSIb3DQEJARYccGVyc29uYWwtZnJlZW1h aWxAdGhhd3RlLmNvbTAeFw05ODAyMjUwODM1MzNaFw0wMDAyMjUwODM1MzNaMIHIMQswCQYD VQQGEwJaQTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRQwEgYDVQQHEwtEdXJiYW52aWxsZTEa MBgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcxMzAxBgNVBAsTKkNlcnRpZmljYXRlIFNlcnZp Y2VzIFJTQSBJSyAxOTk4LjIuMjUgODozNTE7MDkGA1UEAxMyVGhhd3RlIFBlcnNvbmFsIEZy ZWVtYWlsIFJTQSBJc3N1aW5nIEtleSAxOTk4LjIuMjUwgZ8wDQYJKoZIhvcNAQEBBQADgY0A MIGJAoGBAMcxw8QbmSNy0lGFlUzjWZLk6GyBtfQbXwnmxK2zRG+qONdX5LDFy7p0rkxhIyR2 BvjZXQ2KKLK0K+0Nu1Ik9LfFSaeDY/wKBLDvgSj35pHGTZfuknYmYshjN3Y8sZIP3K1SBopx xTcxaobbvQhpKFn87cd9JmfdTd7TxQL+d7bhAgMBAAGjNzA1MBIGA1UdEwEB/wQIMAYBAf8C AQAwHwYDVR0jBBgwFqAUcknCczTGVfQLdnKBfnf0h+fGsg4wDQYJKoZIhvcNAQEEBQADgYEA Qurti2F+odRcUqk8vZ6ceegJixKBrY8dWkbt8SUmW8iu/XohFs2gHjuXM4P7TjcqKJemSPUo GAIkfIB7U1C1+2+a/G2qXCZFqC82IljTGwIDH+6UOfD+NFqISxs9jPPXftOfcFt29tjE4rY8 JJ0JJYxZsdSL8/wEgg6eKYZsxf8xggHyMIIB7gIBATCBzzCByDELMAkGA1UEBhMCWkExFTAT BgNVBAgTDFdlc3Rlcm4gQ2FwZTEUMBIGA1UEBxMLRHVyYmFudmlsbGUxGjAYBgNVBAoTEVRo YXd0ZSBDb25zdWx0aW5nMTMwMQYDVQQLEypDZXJ0aWZpY2F0ZSBTZXJ2aWNlcyBSU0EgSUsg MTk5OC4yLjI1IDg6MzUxOzA5BgNVBAMTMlRoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBSU0Eg SXNzdWluZyBLZXkgMTk5OC4yLjI1AgIp7zAJBgUrDgMCGgUAoHowGAYJKoZIhvcNAQkDMQsG CSqGSIb3DQEHATAbBgkqhkiG9w0BCQ8xDjAMMAoGCCqGSIb3DQMHMBwGCSqGSIb3DQEJBTEP Fw05OTAxMDYyMDMwNDNaMCMGCSqGSIb3DQEJBDEWBBRbgjNgGA9IHUS9XzEs8eI3u4GfhDAN BgkqhkiG9w0BAQEFAASBgGRypFNxhJDHmxvSjpOiX6ExJjm5bF34D9h5ZrMs10+NTMhuSXcw 0Zs/goZoM3kXBpMAPvJldw9XwgfFttEVehFEn54yEcXQ6KgH/CKfOLZfp8Skk7+W3ANxN6Rq lbCr7UIOI33uNSRXV1UhUG7G9JlYj0BTZ5/UG6diLHdbwhwn --------------ms4946BD6328BDA5D1ADA9ECFE--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:27:42 PDT