DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=30831>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=30831 Apache returns HTTP 200 on CONNECT without mod_proxy Summary: Apache returns HTTP 200 on CONNECT without mod_proxy Product: Apache httpd-2.0 Version: 2.0.50 Platform: PC OS/Version: Linux Status: NEW Severity: Normal Priority: Other Component: All AssignedTo: [email protected] ReportedBy: [EMAIL PROTECTED] Several people have reported this problem on the Focus on Linux Security Focus mailing list. On an Apache 2.0.50 server compiled without mod_proxy running PHP 4.3.8, an HTTP CONNECT command returns an HTTP 200 rather than an HTTP 405 error: > $ telnet a.somehost.com 80 > Trying x.x.x.x... > Connected to a.somehost.com. > Escape character is '^]'. > CONNECT www.google.com:80 HTTP/1.0 > Host: a.somehost.com > > HTTP/1.1 200 OK > Date: Tue, 24 Aug 2004 15:34:55 GMT > Server: Apache/2.0.50 (Unix) mod_ssl/2.0.50 OpenSSL/0.9.7d PHP/4.3.8 > X-Powered-By: PHP/4.3.8 > Connection: close > Content-Type: text/html; charset=ISO-8859-1 > > Unknown server name: www.google.com > Connection closed by foreign host. Since no proxy is enabled on this server, Apache should respond with a 405 Method Not Allowed. However, as you can see, it responds with a 200 OK. Interestingly, this does not occur on Apache without PHP (or some other language, e.g. perl) installed: > $ telnet b.somehost.com 80 > Trying y.y.y.y... > Connected to b.somehost.com. > Escape character is '^]'. > CONNECT www.google.com:80 HTTP/1.0 > Host: b.somehost.com > > HTTP/1.1 405 Method Not Allowed > Date: Tue, 24 Aug 2004 15:52:37 GMT > Server: Apache/2.0.50 (Unix) mod_ssl/2.0.50 OpenSSL/0.9.7d PHP/4.3.8 ... <snip error doc> ... > Connection closed by foreign host. See discussion of this issue on PHP Bugzilla: http://bugs.php.net/bug.php?id=19113 Since spammers are looking for open Apache proxies to forward spam to mail servers, this could result in a server getting hammered if some script kiddie thinks he has found an open proxy. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
