Sorry for the briefness of this email, time refraints prohibit me from fully analysing the situation. Hopefully others will be able to give results on other httpd servers and how they resond to these requests. Recently, while looking into Httpd/CGI security, I noticed that the httpd did not log correct httpd requests sent as hex in clear text in the access_log, as it does when it writes to error.log when a 404 is returned. ie. access_log 192.168.0.4 - - [24/Aug/1999:10:12:09 +1000] "GET /%41 HTTP/1.0" 404 195 error.log [Tue Aug 24 10:12:09 1999] [error] [client 192.168.0.4] File does not exist: /home/v0rt/public_html/A While this in turn is no big security hole, not in the broadest terms, it does however bypass some security means posed by many httpd log analysers, which can detect webbased scans, ie. vunerable cgi scans. Because these log analysers _should_ check the access_log rather than just the error_log for scan attempts (incase vunerable cgi scripts are running) if they do not check for the hex equivilent of the clear text cgi get requests, then the analyst will return null to scan attempts. This post is not an advisory, more of a request for someone with greater resources than mine to test this on a variety of different httpd servers and post the results. Also how httpd respond to requests for hex values which lie in the extended character set, %0A %A0 etc. This post is also aimed at the developers of log analysers in the hope that they will resond and change their code to include hex request values. Currently this has only been tested on Apache/1.3.3 (Unix) v0rt_ xeb [slash] xec http://v0rt.dayrom.com.au
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:59:23 PDT