You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Ed Sawicki <ed...@alcpress.com> on 2006/10/05 18:39:03 UTC
[users@httpd] Apache/PHP and obfuscated URLs
I see that Apache 2.0 does not convert an obfuscated URL
into its canonical form. For example, with this URL:
http://www.example.com/url/hack
I see the Web page and the access log shows this:
10-05 07:41 "GET /url/hack HTTP/1.1" 200
With this obfuscated URL:
http://www.example.com/%75%72%6C%2F%68%61%63%6B
I get a 404 error page and the access log shows this:
10-05 07:41 "GET /%75%72%6C%2F%68%61%63%6B HTTP/1.1" 404
However, the error log does not log this 404 error with
the default LogLevel.
Two questions:
1. Why doesn't Apache log the error when other 404 errors are
logged ?
2. I'm pleased that Apache doesn't convert obfuscated URLs
into canonical form, but I'm wondering why attackers have
success using obfuscated URLs when attacking Apache sites
where the Web apps are written in PHP. I do not know or use
PHP.
Ed
Re: [users@httpd] Apache/PHP and obfuscated URLs
Posted by Joshua Slive <jo...@slive.ca>.
On 10/5/06, Ed Sawicki <ed...@alcpress.com> wrote:
>
> If I set AllowEncodedSlashs On, the request still results in a
> 404 message because of the other obfuscated characters. I'll
> try Apache version 2.2 later. As I said earlier, I'm happy that
> Apache behaves this way but I'd like to know why Apache/PHP sites
> are so vulnerable to attacks that use obfuscation.
Can you cite some examples? Often the obfiscation happens in the
query string, which apache just passes along to the applicatoin.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache/PHP and obfuscated URLs
Posted by Ed Sawicki <ed...@alcpress.com>.
Joshua Slive wrote:
> On 10/5/06, Ed Sawicki <ed...@alcpress.com> wrote:
>> I see that Apache 2.0 does not convert an obfuscated URL
>> into its canonical form. For example, with this URL:
>>
>> http://www.example.com/url/hack
>>
>> I see the Web page and the access log shows this:
>>
>> 10-05 07:41 "GET /url/hack HTTP/1.1" 200
>>
>>
>> With this obfuscated URL:
>>
>> http://www.example.com/%75%72%6C%2F%68%61%63%6B
>>
>> I get a 404 error page and the access log shows this:
>>
>> 10-05 07:41 "GET /%75%72%6C%2F%68%61%63%6B HTTP/1.1" 404
>>
>> However, the error log does not log this 404 error with
>> the default LogLevel.
>>
>> Two questions:
>>
>> 1. Why doesn't Apache log the error when other 404 errors are
>> logged ?
>>
>> 2. I'm pleased that Apache doesn't convert obfuscated URLs
>> into canonical form, but I'm wondering why attackers have
>> success using obfuscated URLs when attacking Apache sites
>> where the Web apps are written in PHP. I do not know or use
>> PHP.
>
> That URL is actually a special case because it contains an encoded
> slash, which is considered an especially dangerous item. See the
> AllowEncodedSlash directive. It should get logged anyway. If you can
> show that it isn't getting to the error log in 2.2, then you should
> report it as a bug.
>
> Joshua.
Thanks for your response.
If I set AllowEncodedSlashs On, the request still results in a
404 message because of the other obfuscated characters. I'll
try Apache version 2.2 later. As I said earlier, I'm happy that
Apache behaves this way but I'd like to know why Apache/PHP sites
are so vulnerable to attacks that use obfuscation.
Ed
Re: [users@httpd] Apache/PHP and obfuscated URLs
Posted by Joshua Slive <jo...@slive.ca>.
On 10/5/06, Ed Sawicki <ed...@alcpress.com> wrote:
> I see that Apache 2.0 does not convert an obfuscated URL
> into its canonical form. For example, with this URL:
>
> http://www.example.com/url/hack
>
> I see the Web page and the access log shows this:
>
> 10-05 07:41 "GET /url/hack HTTP/1.1" 200
>
>
> With this obfuscated URL:
>
> http://www.example.com/%75%72%6C%2F%68%61%63%6B
>
> I get a 404 error page and the access log shows this:
>
> 10-05 07:41 "GET /%75%72%6C%2F%68%61%63%6B HTTP/1.1" 404
>
> However, the error log does not log this 404 error with
> the default LogLevel.
>
> Two questions:
>
> 1. Why doesn't Apache log the error when other 404 errors are
> logged ?
>
> 2. I'm pleased that Apache doesn't convert obfuscated URLs
> into canonical form, but I'm wondering why attackers have
> success using obfuscated URLs when attacking Apache sites
> where the Web apps are written in PHP. I do not know or use
> PHP.
That URL is actually a special case because it contains an encoded
slash, which is considered an especially dangerous item. See the
AllowEncodedSlash directive. It should get logged anyway. If you can
show that it isn't getting to the error log in 2.2, then you should
report it as a bug.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org