other/5817: new attack pattern using long cookies?

[Glenn Fleishman <gl...@glenns.org>]

>Number:         5817
>Category:       other
>Synopsis:       new attack pattern using long cookies?
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          support
>Submitter-Id:   apache
>Arrival-Date:   Sun Feb 27 17:10:00 PST 2000
>Closed-Date:
>Last-Modified:
>Originator:     glenn@glenns.org
>Release:        1.3.9
>Organization:
apache
>Environment:
RedHat 6.1, gcc latest version
>Description:
I noticed a very long cookie in a recent user request. I'm wondering if this is  a new attack pattern and whether Apache is secure against it:

www.joyofpi.com 193.115.251.70 - - [27/Feb/2000:17:00:42 -0800] "GET / HTTP/1.0" 200 - "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows 95)" "ASPSESSIONIDGQGQQHGJ=BPFJOJFABOACGJAAAKGKOPPF; VisID=193.115.251.70.19965951688643998; Apache=193.115.251.70.10052.951688618.392; ASPSESSIONIDQQQQGGAB=INFCPFGBFCKJPDINKDAPIBIM; RMID=c173fb4638b99d60; SITESERVER=ID=04fd3ec7a1b730ac60154523f65c08f3; ASPSESSIONIDQQGGGHRM=LPNFCDFDDNLCMGLGEIGFBEJA; ASPSESSIONIDQGQGGGFY=BMOHEPACLJJMELCFHBEFCBBD; ASPSESSIONIDQQGGGRRQ=CNHJPMIDEBILFGFHGCGPEGCI; WEBTRENDS_ID=193.115.251.70-3914068400.29327725; ASPSESSIONIDQGGGGGBT=FDIDFHDDAMJILFMMEEJPIEDE; ASPSESSIONIDGGGQGHXH=BJAIPMKAIPMCOJFMADGMFNPP; INTERSE=193.115.251.708596951688990940; IRATEsession=IRATEsession; ASPSESSIONIDGQQQQQCX=HKNBOCMCHGPGJBLJLFPNKKKP; ASPSESSIONIDQQQQGHWO=EAIJEAHABMMJJDBMGFNJIGOM; ASPSESSIONIDGGQQGGDJ=CDFEJIPAJHNMBHDKBJMGNAHJ; ASPSESSIONIDGGQQGQYE=BIMJFOBABACCIAJFGGHEDDJD; ASPSESSIONIDQGGQQGAA=MGABFFKCIEMGIJMFFBFMCNJE; ASPSESSIONIDGQQQQQDF=FKMHFFBDGFHEGGADBHLKEKNF; ASPSESSIONIDQGGQGQBW=NLBFOCHDIDAMKLCIHBNABNAK; ASPSESSIONIDGQGQQGYB=HPPNCNKBCCBBEGLGFHNHNMHO; ASPSESSIONID=TZVAUQXHIDUKUHJZ; ASPSESSIONIDQGGQGGAL=POJHNKICEIKIAAFLKGJLHDIG; AccipiterId=0023844a*Def; ASPSESSIONIDGQGQQGYT=NIFNNEBDCDNGAJJAGPDEFMKE; ASPSESSIONIDGQGGGGCJ=MGJDBPAABMPNNIGIBGJFILIO; EGSOFT_ID=193.115.251.70-4264881104.29327726; ASPSESSIONIDGGGGQGLR=PIBMCLHCOLJPBLCEDDNKEAJM; ASPSESSIONIDQGGQQQAC=LLBAHGKDKDKOMMPIHNKNCEDE; ASPSESSIONIDQQGGQQLP=JKKFGOGANPGACAMFGMPFCMIC; ASPSESSIONIDGQGGQQDC=KMELFLJDHDLPHAENJHNNDEDF; ASPSESSIONIDGQGQQQKN=NJPFHLKDOFDHOEGOFLLHIKMC; IPCLog=193%2E115%2E251%2E70%3A2%2F27%2F00; ASPSESSIONIDGGGQGGKX=PJLAEOLAAHAJLBDNHBPOCGJD; ASPSESSIONIDGQQGQGEX=NOOHJKACDNOIONIGAAPHDEEE; CFTOKEN=20375; CFID=1614275; NGUserID=d1433e1a-149-951689984-1; ASPSESSIONIDQQGQGHRB=EFCFIEIDPKPBFHJBKLABNJMB; TIG1=19310867oi951689482000; ASPSESSIONIDGGQQGQCB=LMGNAAKDEKIGDNOGHLDOFINL; ASPSESSIONIDQQGQQQAS=HNAAJDCDEMJIDMGJCANCJJCE; ASPSESSIONIDQGQQQQDD=MIPJKBIAGEBJHPCCHLOJNPKF; ASPSESSIONIDGGGGGQAX=GHCMEMICEEGABCHDLNMGAMHE; ASPSESSIONIDQQGQGHMK=BNFADACALOAPEAFLEPGAFBMC; ASPSESSIONIDQGQGQRPQ=AJKPPLMALHIEAGHEKJDKBDNM; ASPSE"
>How-To-Repeat:

>Fix:

>Release-Note:
>Audit-Trail:
>Unformatted:
 [In order for any reply to be added to the PR database, you need]
 [to include <ap...@Apache.Org> in the Cc line and make sure the]
 [subject line starts with the report component and number, with ]
 [or without any 'Re:' prefixes (such as "general/1098:" or      ]
 ["Re: general/1098:").  If the subject doesn't match this       ]
 [pattern, your message will be misfiled and ignored.  The       ]
 ["apbugs" address is not added to the Cc line of messages from  ]
 [the database automatically because of the potential for mail   ]
 [loops.  If you do not include this Cc, your reply may be ig-   ]
 [nored unless you are responding to an explicit request from a  ]
 [developer.  Reply only with text; DO NOT SEND ATTACHMENTS!     ]