You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by "William A. Rowe, Jr." <wr...@rowe-clan.net> on 2001/07/19 21:21:21 UTC
Re: Missing "Addhandler FOD `cat list` " problem
Sorry, this is exactly what they 'should' see. You can toggle off the version number
for apache (see the docs) but there isn't much point (since you apparently stay current
to avoid known exploits); they contacted your domain so they should see your
domain (it's available through nslookup in any case); and so what that there is a site
at your IP?
Please posit your suggestion to new-httpd@apache.org where the authors can consider
it, especially in the context of Apache 2.0.
Bill
----- Original Message -----
From: "rudy" <ru...@edpstaff.com>
To: <wr...@rowe-clan.net>
Sent: Thursday, July 19, 2001 1:52 PM
Subject: Re: Missing "Addhandler FOD `cat list` " problem
> 1) Thanks for the fast response. And yes, this should probably be openly
> discussed.
>
> 2) they get:
> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
> <HTML><HEAD>
> <TITLE>400 Bad Request</TITLE>
> </HEAD><BODY>
> <H1>Bad Request</H1>
> Your browser sent a request that this server could not understand.<P>
> Invalid URI in request
> d3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3
> %u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 324 "-" "-"<P>
> <HR>
> <ADDRESS>Apache/1.3.20 Server at edpstaff.com Port 80</ADDRESS>
> </BODY></HTML>
>
> i.e.
> 1-info that this is an apache 1.3.20 server
> 2-domain name
> 3-knowledge that site is live and exists
>
> the FOD handler would leave them starved of any response. That should
> reduce their interest in this activity although .. [really wide grin here]
> for release 2 we could maybe send back Microsoft's XP license key cancellation
> sequence and shut them out of their PC?
>
> >From: "William A. Rowe, Jr." <wr...@rowe-clan.net>
> >To: <se...@apache.org>, "rudy" <ru...@edpstaff.com>
> >Subject: Re: Missing "Addhandler FOD `cat list` " problem
> >Date: Thu, 19 Jul 2001 13:43:24 -0500
> >MIME-Version: 1.0
> >Content-Transfer-Encoding: 7bit
> >X-Priority: 3
> >X-MSMail-Priority: Normal
> >X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400
> >
> >Please define "information these guys should not be getting" so we can review
> this
> >or refer you to the httpd list, since this is apparently _not_ an open security
> >vulnerability, only a request for improvement that should be discussed
> publicly.
> >
> >Bill
> >
> >----- Original Message -----
> >From: "rudy" <ru...@edpstaff.com>
> >To: <I-...@apache.org>
> >Sent: Thursday, July 19, 2001 1:35 PM
> >Subject: Missing "Addhandler FOD `cat list` " problem
> >
> >
> >> hi:
> >>
> >> I'm currently undergoing a weird denial of service attack in which a large
> >> number of PCs (218 at last count) are sending me kiddie scripted buffer
> overflow
> >> attacks aimed at IIS admin scripts. [I know, read on, please!].
> >>
> >> These look like:
> >> webmail.ticketsnow.com - - [19/Jul/2001:14:06:11 -0400] "GET
> >>
> /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> >>
> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> >>
> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9
> >>
> 090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u909
> >> 0%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 330
> "-"
> >> "-"
> >>
> >> and should be harmless except that they tie up bandwidth and the Apache
> server
> >> response contains information these guys should not be getting. To fix this
> >> security problem (hey, there's no "suggestion box" on the apache site; I
> didn't
> >> want to use this email route but saw no alternatives)
> >> apache needs a new handler. The effect of:
> >>
> >> < AddHandler FOD
> >> default.ida
> >> _vti_inf.html
> >> _vti_bin/shtml.exe/_vti_rpc >
> >>
> >> would be that a request to GET or POST anything on the list would return
> >> absolutely nothing. I.e. the server would write the log msg but appear
> totally
> >> dead to the requestor.
> >>
> >> Rudy de Haas
> >> http://www.winface.com/
> >> 519-896-2560 EDT
> >>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: security-unsubscribe@apache.org
> >> For additional commands, e-mail: security-help@apache.org
> >>
> >>
> >
>
> Rudy de Haas
> http://www.edpstaff.com/
> 519-896-2560 EDT
>
>
Re: Missing "Addhandler FOD `cat list` " problem
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
From: "William A. Rowe, Jr." <wr...@rowe-clan.net>
Sent: Thursday, July 19, 2001 2:21 PM
> Please posit your suggestion to new-httpd@apache.org where the authors can consider
> it, especially in the context of Apache 2.0.
Sorry, meant to reply back to security@ ... since this is here, let me condense the
guts of the suggestion...
----- Original Message -----
From: "rudy" <ru...@edpstaff.com>
To: <I-...@apache.org>
Sent: Thursday, July 19, 2001 1:35 PM
Subject: Missing "Addhandler FOD `cat list` " problem
>
> hi:
>
> I'm currently undergoing a weird denial of service attack in which a large
> number of PCs (218 at last count) are sending me kiddie scripted buffer overflow
> attacks aimed at IIS admin scripts. [I know, read on, please!].
>
> ... should be harmless except that they tie up bandwidth and the Apache server
> apache needs a new handler. The effect of:
>
> < AddHandler FOD
> default.ida
> _vti_inf.html
> _vti_bin/shtml.exe/_vti_rpc >
>
> would be that a request to GET or POST anything on the list would return
> absolutely nothing. I.e. the server would write the log msg but appear totally
> dead to the requestor.
I expect this should be simple to do so using the new filtering schema, we've done
similar bogus things by accedent in developing the new server filter model :)
Any takers?
Bill