as i said, a quick fix to close the logging exploit.
The information loss (changing ESC to the bell character 7)
is very little;
under normal operation, you should never have a bell
character in the
log file, and now, if you see one, it should ring a bell....
the incoming url might be url-encoded or not. if one url-encodes
the logged url, then there is as well an information loss. One
could certainly just url-encode the escape character, but
there is
as well an information loss on these. One could grep safely for
the bell character, but this is probably not very intuitive.
Note,
that it is not only sufficient to escape the url, the attack
could as
well come from other http reply header fields.
One should implement a DStringAppendSanitized() function
in nslog.c to allow multi-character substitutions.
-gustaf
On 09.09.10 14:41, Dossy Shiobara wrote:
As a short-term solution, this is probably adequate, but there's
information loss -- it'd be nice to indicate the original byte sequence
somehow in the log entry by escaping characters so that log analysis
tools could detect such attacks, etc.
Perhaps the right answer is to log the URI with proper URL-encoding, so
that it would be logged as %1B instead of the literal byte.
On 9/9/10 8:18 AM, Gustaf Neumann wrote:
i have just now committed a quick fix for the problem into the
aolserver/nslog/nslog.c
into the sourceforge module. please check, if this is in all cases
sufficient.
--
AOLserver - http://www.aolserver.com/
To Remove yourself from this list, simply send an email to
<[email protected]> with the
body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject:
field of your email blank.
