Well, Apache is accepting an illegal (per the RFC) request:
http://www.w3.org/Protocols/rfc1945/rfc1945
HTTP-message = Simple-Request ; HTTP/0.9 messages
| Simple-Response
| Full-Request ; HTTP/1.0 messages
| Full-Response
where
Simple-Request = "GET" SP Request-URI CRLF
and
Request-URI = absoluteURI | abs_path
absoluteURI = scheme ":" *( uchar | reserved )
abs_path = "/" rel_path
rel_path = [ path ] [ ";" params ] [ "?" query ]
path = fsegment *( "/" segment )
etc.
Note that a rel_path must have characters before it's 1st /.
// is valid only as:
net_path = "//" net_loc [ abs_path ]
Which is part of "3.2.1 General Syntax" of a URI, but is not legal in a GET
request.
Regardless, the web server shouldn't hang.
However, I'm pretty sure it's not.
Fri Jul 1 08:53:40 2005 **ERROR** URL security: '//' rejected
(code=2)(client=192.168.142.100)
Fri Jul 1 08:53:40 2005 **ERROR** Rejected request from address
192.168.142.100 (it previously sent ntop a bad request)
Following the initial error, you should see subsequent log messages:
Fri Jul 1 08:53:50 2005 **ERROR** Rejected request from address
192.168.142.100 (it previously sent ntop a bad request)
Well, we reject them - period as in drop them on the floor. We don't bother
telling you to get stuffed or anything - under the assumption that the less
work we do to respond to an attacker, the better off we are.
Try using another host - you should be able to access things just fine. Or
wait until the "BadGuy" timeout elapses and try again.
-----Burton
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Tamas Kovacshazy
Sent: Friday, July 01, 2005 6:57 AM
To: [email protected]
Subject: [Ntop-dev] URL problem++
Hi,
It seems like the URL problem I reported previously is more complex.
The problem is checkURLsecurity() in http.c. The checks for // (and for some
other fishy stuff like &&, ??) in the URL, and returns with an error.
After that an HTTP error response is returned to the client and the built in
HTTP server freezes, not answering requests. NTOP must be restarted.
It is clearly a BUG, at least on my setup (current CVS version), in
addition, it makes way for a DoS attack.
Best Regards,
khazy
PS: Apache substitutes '//' in URLs with '/' if '//' appears in the server
local part of the URL, and answers the request without problem.
Just try it on an Apache server.
____________________________________________________________________________
___
Tamas Kovacshazy E-mail: [EMAIL PROTECTED] WWW:
http://www.mit.bme.hu/~khazy
Budapest University of Technology and Economics
Department of Measurement and Information Systems WWW:
http://www.mit.bme.hu _______________________________________________
Ntop-dev mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-dev
_______________________________________________
Ntop-dev mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-dev
