Matt Tesauro wrote:
> Andres Riancho wrote:
>> Matt,
>>
>> On Tue, Jun 2, 2009 at 11:12 AM, Matt Tesauro <[email protected]> wrote:
>>> Andres Riancho wrote:
[big snip]
>>
>>> Then if it is, try fun files like backup, etc.
>> Yes, but I think that it's much more performant to try this with
>> mod_negotiation. With mod_spelling I don't get a performance gain,
>> because if I'm searching for backup.zip, I'll request backup.zip and
>> get it back, or is the admin made the misspelling while creating the
>> backup file and named it backuo.zip , I'll get it back also.
> It would be interesting to turn on mod_speling and off mod_negotiation
> on that host and try the same request and see what happens. That's an
> edge case I've not seen/played with.
>
So I got curious and did some testing. First I setup a backup.zip and
backup.tgz in the web root (as you had above) and tried variations on
mod_negotiation and mod_speling. Then I tried various request headers
to see if that influenced the behavior. There were some interesting
outcomes:
* mod_speling doesn't behave as I expected. For variations on the
request, I kept getting 404s. For example the following all produced
404s: /backup /backup.zzz /crackup.zip
* mod_negotiation seems to rely upon the Accept request header to
provide the listing of options. At first this seemed odd to me but I
checked the RFCs and
* Status 406 isn't even part of HTTP 1.0 (RFC 1945)
* However, RFC 2616 includes Status 406. Apache's behavior conforms
to section 10.4.7 of 2616 which says:
"...the response SHOULD include an entity containing a list of available
entity characteristics and location(s) from which the user or user agent
can choose the one most appropriate."
* The crucial bit seems to be the Accept header on the request which
has some interesting behavior
* If there is a MIME type match, the file matching that MIME type is
served. So if you have “Accept: application/x-gzip”, then you get the
.tgz file and no listing is created.
* If the MIME type doesn't match (or is unknown to Apache) then a
HTTP Status of 406 is returned with a listing of matches. This is the
behavior that Andres mentioned in his post.
* The 'super glob' MIME type of “*/*” qualifies as a match. The file
served in this case, will be the first file in the HTTP 406 list.
Basically, its the first file that would be found if you did a ls -1
[requested file] like “ls -1 backup*”. Since “t” in backup.tgz is listed
before the 'z' in backup.zip, it is the default file served.
* Interestingly, Apache will reply with HTTP 1.1 when it does a 406
Status reply even if the originating request is HTTP 1.0 which seems
sensible as 406 isn't in the HTTP 1.0 RFC and HTTP 1.0 clients wouldn't
know about a 406.
I wrote a rather long blog entry that goes into this in detail. If
you're curious, you can read it here:
http://appseclive.org/content/grudge-match-apaches-modnegotiation-vs-modspeling
Cheers!
>> But with mod_negotiation, I just say: "get me all the files that start
>> with backup", and I get a response =)
> That is rather handy for the attacker, isn't it.
>
>> Cheers,
>>
>>>> Cheers,
>>> HTH
>>>
>>> -- Matt Tesauro
>>> OWASP Live CD Project Lead
>>> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
>>> http://AppSecLive.org - Community and Download site
>>>
>>>
>>
>>
>
> -- Matt Tesauro
> OWASP Live CD Project Lead
> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
> http://AppSecLive.org - Community and Download site
-- Matt Tesauro
OWASP Live CD Project Lead
http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
http://AppSecLive.org - Community and Download site
------------------------------------------------------------------------------
OpenSolaris 2009.06 is a cutting edge operating system for enterprises
looking to deploy the next generation of Solaris that includes the latest
innovations from Sun and the OpenSource community. Download a copy and
enjoy capabilities such as Networking, Storage and Virtualization.
Go to: http://p.sf.net/sfu/opensolaris-get
_______________________________________________
W3af-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/w3af-users
