Package: dsniff
Version: 2.4b1+debian-15
Severity: important
Tags: patch
urlsnarf directly outputs the user name, URL, Referer-URL, and the
User-Agent string of every HTTP request it sees on the wire, without
any sanitizing. Since it does not escape illegal characters, HTTP
requests containing non-ASCII bytes or double quote characters may
confuse most trying to parse CLF-style log files.
The attached patch modifies urlsnarf so that non-ASCII bytes are
escaped with \0xNN. Double quotes are escaped as \", and the backslash
is escaped as \\. (This is what Apache also seems to be doing.)
Cheers,
-Hilko
#! /bin/sh /usr/share/dpatch/dpatch-run
## 10_urlsnarf_escape.dpatch by Hilko Bengen <[EMAIL PROTECTED]>
##
## DP: Escape user, vhost, uri, referer, agent strings in log
@DPATCH@
--- dsniff-2.4b1+debian~/urlsnarf.c 2006-11-27 17:09:54.000000000 +0100
+++ dsniff-2.4b1+debian/urlsnarf.c 2006-11-27 17:08:41.000000000 +0100
@@ -84,6 +84,42 @@
return (tstr);
}
+static char *
+escape_log_entry(char *string)
+{
+ char *out;
+ unsigned char *c, *o;
+ size_t len;
+
+ if (!string)
+ return NULL;
+
+ /* Determine needed length */
+ for (c = string, len = 0; *c; c++, len++) {
+ if ((*c < 32) || (*c >= 128))
+ len += 3;
+ if ((*c == '"') || (*c =='\\'))
+ len++;
+ }
+ out = malloc(len+1);
+ if (!out)
+ return NULL;
+ for (c = string, o = out; *c; c++, o++) {
+ if ((*c < 32) || (*c >= 128)) {
+ *(o++) = '\\';
+ *(o++) = 'x';
+ snprintf(o++, 3, "%02x", *c);
+ } else if ((*c == '"') || ((*c =='\\'))) {
+ *(o++) = '\\';
+ *o = *c;
+ } else {
+ *o=*c;
+ }
+ }
+ out[len]='\0';
+ return out;
+}
+
static int
process_http_request(struct tuple4 *addr, u_char *data, int len)
{
@@ -142,18 +178,23 @@
buf_tok(NULL, NULL, i);
}
}
- if (user == NULL)
- user = "-";
- if (vhost == NULL)
- vhost = libnet_addr2name4(addr->daddr, Opt_dns);
- if (referer == NULL)
- referer = "-";
- if (agent == NULL)
- agent = "-";
-
+ user = escape_log_entry(user);
+ vhost = escape_log_entry(vhost);
+ uri = escape_log_entry(uri);
+ referer = escape_log_entry(referer);
+ agent = escape_log_entry(agent);
+
printf("%s - %s [%s] \"%s http://%s%s\"; - - \"%s\" \"%s\"\n",
libnet_addr2name4(addr->saddr, Opt_dns),
- user, timestamp(), req, vhost, uri, referer, agent);
+ (user?user:"-"), timestamp(), req,
+ (vhost?vhost:libnet_addr2name4(addr->daddr, Opt_dns)),
+ uri, (referer?referer:"-"), (agent?agent:"-"));
+
+ if (user) free(user);
+ if (vhost) free(vhost);
+ if (uri) free(uri);
+ if (referer) free(referer);
+ if (agent) free(agent);
}
fflush(stdout);
-- System Information:
Debian Release: 4.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-1-686
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages dsniff depends on:
ii libc6 2.3.6.ds1-8 GNU C Library: Shared libraries
ii libdb4.3 4.3.29-6 Berkeley v4.3 Database Libraries [
ii libnet1 1.1.2.1-2 library for the construction and h
ii libnids1.21 1.21-0 IP defragmentation TCP segment rea
ii libpcap0.8 0.9.5-1 System interface for user-level pa
ii libssl0.9.8 0.9.8c-3 SSL shared libraries
ii openssl 0.9.8c-3 Secure Socket Layer (SSL) binary a
dsniff recommends no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
