Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: IPS Evasion with the Apache HTTP Server
From: 3APA3A <3APA3A () SECURITY NNOV RU>
Date: Wed, 20 Jun 2007 16:21:27 +0400

Dear H D Moore,

--Tuesday, June 19, 2007, 11:20:41 PM, you wrote to full-disclosure () lists grok org uk:

HDM> $  echo  -ne "\r\n\r\n\r\n\r\n\r\n /buggy.php HTTP/1.0\r\n\r\n" | \
HDM> nc webserver 80

According  to  recommendations  of  RFC  2616, section 4.1 Web server or
proxy  server  should  ignore \r\n before request for compatibility with
odd  clients  sending  trailing  \r\n  with POST requests via keep-alive
connections:

   In the interest of robustness, servers SHOULD ignore any empty
   line(s) received where a Request-Line is expected. In other words, if
   the server is reading the protocol stream at the beginning of a
   message and receives a CRLF first, it should ignore the CRLF.

$ echo -ne " /buggy.php HTTP/1.0\r\n\r\n" | nc webserver 80

Does the same job. This problem (unsupported request method) was already
reported by Michal Majchrowicz, see

http://securityvulns.com/Qdocument846.html


-- 
~/ZARAZA http://securityvulns.com/
Электрические шоки очень полезны для формирования характера. (Лем)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault