Re: Hidden requests to Apache

From: Rasmus Bųg Hansen (moffeat_private)
Date: Wed Oct 24 2001 - 23:00:51 PDT

Next message: Austin Ensminger: "VB6 Backcolor loop causes 100% CPU usage"

Previous message: Roman Drahtmueller: "Re: Advisory: Corrupt RPM Query Vulnerability"
In reply to: smiler: "Hidden requests to Apache"
Next in thread: Bob Niederman: "Re: Hidden requests to Apache"
Next in thread: Lorenzo Pulici: "Re: Hidden requests to Apache"
Reply: Bob Niederman: "Re: Hidden requests to Apache"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 24 Oct 2001, smiler wrote:

> It“s possible to "cheat" a Apache SysAdministrator and make him think that
> his server didn“t log a HTTP request or make him think that a request has
> been made by another Ip address.
> This "cheating" is only valid when the log is displayed on the screen using
> common unix utils as cat, tail, grep, etc...
> This will not work with the kind of sysadmin that edit the logs using vi or
> even print them to read at night on bed eh eh :-)
> I am not sure if this can be considered as a bug or as a feature (?) but in
> any case it will surely lead apache sysadmins into mistake !!

I cannot reproduce this on RedHat Linux 7.0, apache 1.3.19.

> ----------Technique----------
> 
> To make a request and to make it seem like it came from NO IP ADDRESS at
> all, the request should be made as this :
> 
> GET / HTTP/1.0 \r\r\n
> 
> In this case APACHE will print in the log file the carriage return
> character. So when we try to tail the access_log file it will be shown in
> the screen as :
> 
> " 414 3461.251 - - [24/Oct/2001:18:58:18 +0100] "GET / HTTP/1.0

GET / HTTP/1.0 \r\r\n

gives this log entry:

194.182.238.30 - - [25/Oct/2001:07:54:01 +0200] "GET / HTTP/1.0 \r\r\n" 
200 510 "-" "-"

> A normal line would be :
> 
> 127.0.0.1 - - [24/Oct/2001:19:00:32 +0100] "GET / HTTP/1.0" 200 164
> 
> The normal line output will help us to understand that what happens is cat
> made a carriage return after the HTTP/1.0 and printed the rest of the log
> over the Ip Address field.
> We can also make it look like the request came from another Ip address, and
> this is preferable because like this the SysAdmin will see no apparent
> strange behaviour in the logfile. Just be carefull with the timestamp !!
> So the request should be :
> 
> GET / HTTP/1.0 \r10.0.0.1 - - [24/Oct/2001:19:00:32 +0100] "GET /
> HTTP/1.0\r\n
> 
> And the logfile will appear like this :
> 
> 10.0.0.1 - - [24/Oct/2001:19:00:32 +0100] "GET / HTTP/1.0" 200 164

The above gives this log entry:

194.182.238.3 - - [25/Oct/2001:07:56:41 +0200] "GET / HTTP/1.0 
\r10.0.0.1 - - [24/Oct/2001:19:00:32 +0100] "GET / HTTP/1.0\r\n" 200 510 
"-" "-"

Rasmus

-- 
-- [ Rasmus 'Mųffe' Bųg Hansen ] ---------------------------------------
I haven't lost my mind;
I have backed it up on tape somewhere........
--------------------------------- [ moffe at amagerkollegiet dot dk ] --

Next message: Austin Ensminger: "VB6 Backcolor loop causes 100% CPU usage"
Previous message: Roman Drahtmueller: "Re: Advisory: Corrupt RPM Query Vulnerability"
In reply to: smiler: "Hidden requests to Apache"
Next in thread: Bob Niederman: "Re: Hidden requests to Apache"
Next in thread: Lorenzo Pulici: "Re: Hidden requests to Apache"
Reply: Bob Niederman: "Re: Hidden requests to Apache"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Oct 25 2001 - 08:02:05 PDT