[Full-disclosure] IPS Evasion with the Apache HTTP Server
3APA3A
3APA3A at SECURITY.NNOV.RU
Wed Jun 20 13:21:27 BST 2007
Dear H D Moore,
--Tuesday, June 19, 2007, 11:20:41 PM, you wrote to full-disclosure at lists.grok.org.uk:
HDM> $ echo -ne "\r\n\r\n\r\n\r\n\r\n /buggy.php HTTP/1.0\r\n\r\n" | \
HDM> nc webserver 80
According to recommendations of RFC 2616, section 4.1 Web server or
proxy server should ignore \r\n before request for compatibility with
odd clients sending trailing \r\n with POST requests via keep-alive
connections:
In the interest of robustness, servers SHOULD ignore any empty
line(s) received where a Request-Line is expected. In other words, if
the server is reading the protocol stream at the beginning of a
message and receives a CRLF first, it should ignore the CRLF.
$ echo -ne " /buggy.php HTTP/1.0\r\n\r\n" | nc webserver 80
Does the same job. This problem (unsupported request method) was already
reported by Michal Majchrowicz, see
http://securityvulns.com/Qdocument846.html
--
~/ZARAZA http://securityvulns.com/
Электрические шоки очень полезны для формирования характера. (Лем)
Full-Disclosure is hosted and sponsored by Secunia.