| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 20 Jun 2007 16:21:27 +0400 From: 3APA3A <3APA3A@...URITY.NNOV.RU> To: H D Moore <fdlist@...italoffense.net> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: IPS Evasion with the Apache HTTP Server Dear H D Moore, --Tuesday, June 19, 2007, 11:20:41 PM, you wrote to full-disclosure@...ts.grok.org.uk: HDM> $ echo -ne "\r\n\r\n\r\n\r\n\r\n /buggy.php HTTP/1.0\r\n\r\n" | \ HDM> nc webserver 80 According to recommendations of RFC 2616, section 4.1 Web server or proxy server should ignore \r\n before request for compatibility with odd clients sending trailing \r\n with POST requests via keep-alive connections: In the interest of robustness, servers SHOULD ignore any empty line(s) received where a Request-Line is expected. In other words, if the server is reading the protocol stream at the beginning of a message and receives a CRLF first, it should ignore the CRLF. $ echo -ne " /buggy.php HTTP/1.0\r\n\r\n" | nc webserver 80 Does the same job. This problem (unsupported request method) was already reported by Michal Majchrowicz, see http://securityvulns.com/Qdocument846.html -- ~/ZARAZA http://securityvulns.com/ Электрические шоки очень полезны для формирования характера. (Лем) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists