Your message dated Fri, 17 Sep 2004 08:40:55 -0600
with message-id <[EMAIL PROTECTED]>
and subject line logs incorrect data when faced with IIS WebDAV SEARCH attack
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 11 Jun 2004 01:50:53 +0000
>From [EMAIL PROTECTED] Thu Jun 10 18:50:53 2004
Return-path: <[EMAIL PROTECTED]>
Received: from bdsl.66.12.153.218.gte.net (scottstuff.net) [66.12.153.218]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1BYbC1-0001Nx-00; Thu, 10 Jun 2004 18:50:53 -0700
Received: from localhost (localhost [127.0.0.1])
(uid 1000)
by scottstuff.net with local; Thu, 10 Jun 2004 18:50:49 -0700
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Scott Laird <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: libapache2-svn: logs incorrect data when faced with IIS WebDAV SEARCH
attack
X-Mailer: reportbug 2.61
Date: Thu, 10 Jun 2004 18:50:49 -0700
Message-ID: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
Package: libapache2-svn
Version: 1.0.3-1
Severity: important
Tags: security sid
I get hit with at least one exploit attempt per day that consists of
an HTTP 'SEARCH' command followed by approximately 32k of overflow data.
Google suggests that this is an attempt to exploit a known IIS WebDAV
bug. Under normal circumstances, this wouldn't bother me, since I
wouldn't touch IIS with a ten-foot pole (and wouldn't submit Debian bugs
about it, even if I had a longer pole).
However, about half of the access log entries for exploit attempts
contain strings from my personal Subversion repository as part of the
logged HTTP SEARCH string. An example is available at
<http://scottstuff.net/misc/apache-log.txt>. The final 4k of the
logged string belongs to a file that is maintained via WebDAV and
Subversion. It contains personal details and clearly wasn't submitted
as part of the exploit. Therefore, there's probably an overflow
somewhere in Subversion or Apache 2, and this IIS exploit is causing
Apache/Subversion to misbehave, appending something from somewhere else
in memory onto the logged string.
Alternately, Apache could be truncating the logged string around 32k but
forgetting to append the trailing '\0', but I haven't seen any evidence
of this in a quick survey of the code.
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.25
Locale: LANG=C, LC_CTYPE=C
Versions of packages libapache2-svn depends on:
ii apache2-mpm-prefork [apache 2.0.49-1 Traditional model for Apache2
ii db4.2-util 4.2.52-10 Berkeley v4.2 Database Utilities
ii libc6 2.3.2.ds1-11 GNU C Library: Shared libraries an
ii libsvn0 1.0.3-1 Shared libraries used by Subversio
-- no debconf information
---------------------------------------
Received: (at 253775-done) by bugs.debian.org; 17 Sep 2004 14:40:56 +0000
>From [EMAIL PROTECTED] Fri Sep 17 07:40:56 2004
Return-path: <[EMAIL PROTECTED]>
Received: from s010600e029962405.cg.shawcable.net (lucifer.0c3.net)
[68.147.203.152] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1C8Juy-0000FZ-00; Fri, 17 Sep 2004 07:40:56 -0700
Received: from adconrad by lucifer.0c3.net with local (Exim 3.36 #1 (Debian))
id 1C8Jux-0002ps-00
for <[EMAIL PROTECTED]>; Fri, 17 Sep 2004 08:40:55 -0600
To: [EMAIL PROTECTED]
Subject: logs incorrect data when faced with IIS WebDAV SEARCH attack
Message-Id: <[EMAIL PROTECTED]>
From: Adam Conrad <[EMAIL PROTECTED]>
Date: Fri, 17 Sep 2004 08:40:55 -0600
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-2.0 required=4.0 tests=BAYES_01 autolearn=no
version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
This bug was fixed several upstream revisions back, and the off-by-one error
introduced by the bugfix was fixed in 2.0.51, allowing this bug to finally be
closed.
