Welcome to MobyThreads.com!
FAQFAQ      ProfileProfile    Private MessagesPrivate Messages   Log inLog in
All support for the MobyThreads Threaded phpBB MOD can now be found on welsolutions at this forum

Only newest Apache log WebDAV exploit requests?

  
   Web Hosting and Web Master Forums (Home) -> Apache RSS
Next:  HELP! Dang Thing REFUSES to Index&#33..  
Author Message
user2745

External


Since: Apr 12, 2004
Posts: 1



(Msg. 1) Posted: Mon Apr 12, 2004 11:17 pm
Post subject: Only newest Apache log WebDAV exploit requests?
Archived from groups: alt>apache>configuration (more info?)
After upgrade Apache from 2.0.48 to 2.0.49, I received large amount of
WebDAV exploit requests
(like "SEARCH
\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02......")
(>500 entries in 3 days).

Then i degrade to 2.0.48, the requests disappeared.

So, only Apache 2.0.49/1.3.29 log these requests, is that true? And
why?



--
jason.gao
------------------------------------------------------------------------
Posted via http://www.webservertalk.com
------------------------------------------------------------------------
View this thread: http://www.webservertalk.com/message179081.html

 >> Stay informed about: Only newest Apache log WebDAV exploit requests? 
Back to top
Login to vote
purlgurl

External


Since: Oct 24, 2003
Posts: 127



(Msg. 2) Posted: Mon Apr 12, 2004 11:17 pm
Post subject: Re: Only newest Apache log WebDAV exploit requests? [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
jason.gao wrote:

 > WebDAV exploit requests

 > So, only Apache 2.0.49/1.3.29 log these requests, is that true?

No, this is not true. Any version which drops a connection
based on a 414 error, contains this bug. It might be 2.0.49
accepts a SEARCH request method. However, I would expect
this same bug to appear if that version drops a connection
based on a 414 error; URI length over eight kilobytes.


 > why?

Visually examine your Apache httpd.h header file
for c++ compilation, found in your include directory,
about half way through,

define ap_status_drops_connection

There and subsequent lines and sections you
will discover why Webdav exploits are able
to make use of this bug in Apache.

Most direct cure is to rewrite the httpd.h header file
and associated header files to remove a 414 from the
drop connection array, then allow SEARCH as a recognized
method, then recompile Apache.

There is an inherent problem, this defeats the URI length
filter allowing the entire Webdav exploit to enter.
Better approach would be to write code which scans
a request for "SEARCH" and immediately drops a connection
with no further processing.

Apache should drop a connection based on an unrecognized
request method, but does not. This is a bug which leads
to a series of subsequent bugs.

I would suggest a reader not try this unless you
are quite experienced in C language and equally
experienced at compiling Apache.


Purl Gurl<!-- ~MESSAGE_AFTER~ -->

 >> Stay informed about: Only newest Apache log WebDAV exploit requests? 
Back to top
Login to vote
Display posts from previous:   
Related Topics:
Bug Report Submitted - Webdav Exploit - In reference to two threads here, "Rewriting long URIs from viruses... shortening log files" "Capture 414 Error - Webdav Exploit" I have submitted a bug report to nagoya.apache.org - bugzilla. It is bug report 28193 for those inte...

Capture 414 Error - Webdav Exploit - Inspired by recent articles on not logging these idiotic Webdav exploit log entries, I am hoping someone has developed a hack for capturing the associated 414 error generated by Apache. I am running Apache 1.3.2x series. My efforts over the past severa...

XML exploit? but not on Apache :) - From today's logfile: 81.62.253.223 - - [04/Nov/2003:09:53:55 -0600] "<?xml version=\"1.0\"?>" 400 306 "-" "-" 194.102.108.16 - - [04/Nov/2003:09:54:01 -0600] "<?xml version=\"1.0\"?>&qu...

Need help to identify (apache?) exploit... - My Related URL References: [http://www.webhostingtalk.com/showthread.php?s=&threadid=169024] and [http://www.experts-exchange.com/Security/Linux_Security/Q_20691048.html] I need help identifying an unknown exploit of some kind that allowed a remot...

How can Apache pass on asp requests to local IIS webserver? - Hi all, I want to pass on request for certain webpages to my local asp webserver. I have a Apache webserver running on RedHat Linux 9 as a gateway to the internet. Locally I have Windows 2000 with an IIS webserver. I have written some asp pages and now...
   Web Hosting and Web Master Forums (Home) -> Apache All times are: Pacific Time (US & Canada) (change)
Page 1 of 1

 
 You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



[ Contact us | Terms of Service/Privacy Policy ]