Re: [SLUG] Long lines in /var/log/httpd/access_log

2010-10-28 Thread Andrew Bennetts 
Rick Welykochy wrote:
> Jim Donovan wrote:
> 
> >GET /documents/url(data:image
> 
> At a glance, this is a request for a data: URI
> 
> 
> There are exploits involving this rarely used URI scheme.
> 

I'd guess this isn't an exploit.  The image encoded in that URI is just
a couple of little icons: "?", "-", "x" and a Google search "g" (i.e. it
looks like a CSS sprite encoded in a data: URI).  Also, the user agent
string includes "GTB": Google Toolbar.  I suspect a bug in Google
Toolbar, at least in that version or combination with IE 8, that is
accidentally causing a data: URI to be treated a relative HTTP URI.

In short: it looks like a harmless bug in one user's browser.

-Andrew.
-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] Long lines in /var/log/httpd/access_log

2010-10-28 Thread Matthew Hannigan 
On Fri, Oct 29, 2010 at 06:25:34AM +1000, Rick Welykochy wrote:
> Jim Donovan wrote:
> 
> >GET /documents/url(data:image
> 
> At a glance, this is a request for a data: URI
> 
> 
> There are exploits involving this rarely used URI scheme.
> 
> 
> Do you recognise the requesting IP address?
> 

Jim, the ip belongs to Bell Canada -- their ISP business I guess.

HTH

-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] Long lines in /var/log/httpd/access_log

2010-10-28 Thread Rick Welykochy 

Jim Donovan wrote:


GET /documents/url(data:image


At a glance, this is a request for a data: URI


There are exploits involving this rarely used URI scheme.


Do you recognise the requesting IP address?


cheers
rickw


--
Rick Welykochy || Praxis Services

No position is so absurd that a philosopher cannot be found
to argue for it.   -- Michael Lockwood
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

[SLUG] Long lines in /var/log/httpd/access_log

2010-10-28 Thread Jim Donovan 
A few lines like this have appeared this week; what do they mean, please?

Jim Donovan

67.70.87.182 - - [28/Oct/2010:14:06:59 +1100] "GET 
/documents/url(data:image/png;base64,iVBORw0KGgoNSUhEUgAAADgOCAYAAAB6pd%2buAXNSR0IArs4c6QZiS0dEAP8A%2fwD%2foL2nkwlwSFlzAAALEwAACxMBAJqcGAd0SU1FB9oGAhENK17O5ogZdEVYdENvbW1lbnQAQ3JlYXRlZCB3aXRoIEdJTVBXgQ4XAAAD6UlEQVRIx82WXWxTdRjGf6fndO3adbZ0VLoP9gFMXZQFNgSWDEkEYtSQkNVg4o2JH9NGJTMk6k01vTIhXshFzTCKE5NFORoXXDBs4nTMZHMzSETHDKyQyb7Xbu36dc7p8aaQZm5GNzd8rk7evOf%2fz%2fM%2bz%2f99X4E1htcn68v5742mffVRJd19uucqH539lSq3yKuHtlDmkPj99aPYe39kfRoMOqgCJHSdJNRL3AEE%2fB7h3xZFgO6JuRQdl6PE8zfRPzlF71CEojoXFc%2b9SPy3KxjCc%2bgCpIE0IilB65YWHFQBfAbUZEIDQGPA7xngDsNgMpFUY0Q0ESHHhKbkM3A9yoFqDceGQpTijWjhXxCAtC6gCWk0BAwLzqkAQsC6TJVDGcKrZdeDXp%2fcvki8zeuTH8uO6ehYzRJumxEUBUkyMa%2baUDWBVDLNnJJgNE9ixGZiOlckaQAVAWmBdTqBzqxQJ%2fD2KgrTCDzq9clywO%2fxZMi1AgcBBbhNPhyJ47TlsGuzjaHRSRRdoKq8AF3XOdvZw1BMQneUMl9iZN4eo3AmRWVwFulvqusAngBOryLBY0AcaPD65LeAFPAk0BLwe57OTnz3i4sc3ruFx2s24MwzoWgaW4tNnPn0JLt37KJ2zwGMgk5X3zd8ONJOX7mGvcK5OEGvT94HNGcs2rjSzrhUU!
wn4PV1AV4bcm5nwkYDfc3xhbs%2bVWQZH%2btlekc%2fDtRupKrub1uYT7NhWw9bde%2fl2REUSRR56pJT0lxofhM8xaheXVPA1oDPg9zT%2bExmsDqF8hUqmlvi%2bDUs6RWhW5Ov%2bKaxmK5XFLkIzIe7f%2fiBtwypPVZqIRWJ8Ny6x09OEJJs5rrTxn4yJY00NwRU0mtaMLY9kyL3n9clVAb%2fnley8wnyBkkIHrgILm925JGPTJONRDHqaHDQmx2a4Ph4hpFkpcZqZmBhHtbI4wYDfs3%2bNhn5bpqG03LKl1ydXAS97fXJ%2b9jv0Hq6lyK5C%2fBJ6PEjyj2nW2VQGLw5gLKqn92YSxWgjbrRy89ogVosFoyT%2bZUzcurjD65M71oDjCeDzbCIZ5VqAk9mJm9w5zAdPkRx%2bB3H6Y3Kj7TxQMkzLqfe5V71GvttFiduOa3aQc58E6JseJJXSEVhjeH2yvpxN5qVnygj%2fdJQCWxjBAOm0gVRC5MLPdoZnt2F3rsdisTAV7MBlusT3oVK6TOriCv4fIZnsSDlu1IQRNWVGV83kYKFuZzX7PQ1MFOg0j53nh%2bg8qpLg2eogeyJ53JFddDkLtyiZ6%2b%2b674Vu5cZXiIkJdAEMjnvIqzjEjVCS7rmrhOwC0Vwn58fqkIIXeL72Mn8CJn6UfKGeNt4ASUVORK5CYII%3d)
 HTTP/1.1" 404 1791 "http://www.aptnsw.org.au/documents/lrtprocon.html"; 
"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; WOW64; Trident/4.0; GTB6.6; 
SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; eSobiSubscriber 2.0.4.16; .NET 
CLR 3.5.30729; .NET CLR 3.0.30729; .!
NET4.0C; AskTB5.6)"
-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html