You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2004/08/24 18:49:48 UTC

DO NOT REPLY [Bug 30831] New: - Apache returns HTTP 200 on CONNECT without mod_proxy

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=30831>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=30831

Apache returns HTTP 200 on CONNECT without mod_proxy

           Summary: Apache returns HTTP 200 on CONNECT without mod_proxy
           Product: Apache httpd-2.0
           Version: 2.0.50
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: Normal
          Priority: Other
         Component: All
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: sbrown@truckstuffusa.com


Several people have reported this problem on the Focus on Linux Security Focus
mailing list.

On an Apache 2.0.50 server compiled without mod_proxy running PHP 4.3.8, an HTTP
CONNECT command returns an HTTP 200 rather than an HTTP 405 error:

> $ telnet a.somehost.com 80
> Trying x.x.x.x...
> Connected to a.somehost.com.
> Escape character is '^]'.
> CONNECT www.google.com:80 HTTP/1.0
> Host: a.somehost.com
>
> HTTP/1.1 200 OK
> Date: Tue, 24 Aug 2004 15:34:55 GMT
> Server: Apache/2.0.50 (Unix) mod_ssl/2.0.50 OpenSSL/0.9.7d PHP/4.3.8
> X-Powered-By: PHP/4.3.8
> Connection: close
> Content-Type: text/html; charset=ISO-8859-1
>
> Unknown server name: www.google.com
> Connection closed by foreign host. 

Since no proxy is enabled on this server, Apache should respond with a 405
Method Not Allowed.  However, as you can see, it responds with a 200 OK. 
Interestingly, this does not occur on Apache without PHP (or some other
language, e.g. perl) installed:

> $ telnet b.somehost.com 80
> Trying y.y.y.y...
> Connected to b.somehost.com.
> Escape character is '^]'.
> CONNECT www.google.com:80 HTTP/1.0
> Host: b.somehost.com
>
> HTTP/1.1 405 Method Not Allowed
> Date: Tue, 24 Aug 2004 15:52:37 GMT
> Server: Apache/2.0.50 (Unix) mod_ssl/2.0.50 OpenSSL/0.9.7d PHP/4.3.8
...
<snip error doc>
...
> Connection closed by foreign host. 

See discussion of this issue on PHP Bugzilla: http://bugs.php.net/bug.php?id=19113

Since spammers are looking for open Apache proxies to forward spam to mail
servers, this could result in a server getting hammered if some script kiddie
thinks he has found an open proxy.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org