Perhaps in the server source code there should be a feature to restrict the server to accepting only 'known request methods'. Either that or restricting the length would stop any buffer overflow attacks. On Wed, 6 Jan 1999, Sevo Stille wrote: > mnemonix wrote: > > > > There is a "feature" inherent in some web servers, such as Apache 1.3.x or > > MS IIS, that carries mild security implications that could allow web server > > attacks to go unnoticed. > > As a matter of fact, this is no server problem - any server behaving as > you describe acts absolutely according to the specs. It is a CGI issue - > see below for an explanation. > > > The problem relates to "allowable" REQUEST_METHODs when a dynamic resource, > > such as a CGI script is requested. Essentially _any_ (except for HEAD, > > TRACE and OPTIONS) REQUEST_METHOD can be used - even methods not defined in > > the HTTP protocol. > > Well, HTTP does not define or restrict a set of allowable methods - it > has specifications and definitions for some, but any server or CGI > application (which makes it hard to disallow methods on the server, as > CGI does not define any channel over which a CGI could proclaim its set > of supported methods to the server) can define more and other methods. > > > Consider the following requests which all return the > > requested resource. > > > > GET /cgi-bin/environ.cgi HTTP/0.9 > > > > Azx5T8uHTRuDL /cgi-bin/environ.cgi HTTP/1.0 > > > > Even Control characters are allowed. Consider the following: > > > > ^H^H^H^H^H^H^H^H^H lots of these ^H^H /cgi-bin/environ.cgi HTTP/1.1 > > > > Of course control chars are and must be allowed - CGI is defined to be > transparent towards the application. For a request satisfied by the > server, the server would have to (and at any rate apache does) return a > 501 method not implemented error, according to the specs, par. 5.1.1. > However CGI scripts are not satisfied by the server - the server hands > off the request to them, and they have to handle the requested method, > or return an error 405 or 501. A CGI lib defaulting to handling any > unknown request as GET is polite, but it could be considered broken. > > > As I said it's only a mild problem most likely, really, to effect those that > > don't use a text editor to browse log files. > > Quite so. Nonetheless it would be desirable if the common CGI libraries > would perform a somewhat more strict method check. The paranoid may want > to pipe their log through a filter which replaces control chars with > some associated symbolic value. > > Sevo > > > -- > Sevo Stille > sevoat_private Thank you, Jonathan A. Zdziarski Sr. Systems Administrator Netrail, inc. 888.NET.RAIL x240
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:28:02 PDT