You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by Glenn Fleishman <gl...@glenns.org> on 2000/02/28 02:06:51 UTC
other/5817: new attack pattern using long cookies?
>Number: 5817
>Category: other
>Synopsis: new attack pattern using long cookies?
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: apache
>State: open
>Class: support
>Submitter-Id: apache
>Arrival-Date: Sun Feb 27 17:10:00 PST 2000
>Closed-Date:
>Last-Modified:
>Originator: glenn@glenns.org
>Release: 1.3.9
>Organization:
apache
>Environment:
RedHat 6.1, gcc latest version
>Description:
I noticed a very long cookie in a recent user request. I'm wondering if this is a new attack pattern and whether Apache is secure against it:
www.joyofpi.com 193.115.251.70 - - [27/Feb/2000:17:00:42 -0800] "GET / HTTP/1.0" 200 - "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows 95)" "ASPSESSIONIDGQGQQHGJ=BPFJOJFABOACGJAAAKGKOPPF; VisID=193.115.251.70.19965951688643998; Apache=193.115.251.70.10052.951688618.392; ASPSESSIONIDQQQQGGAB=INFCPFGBFCKJPDINKDAPIBIM; RMID=c173fb4638b99d60; SITESERVER=ID=04fd3ec7a1b730ac60154523f65c08f3; ASPSESSIONIDQQGGGHRM=LPNFCDFDDNLCMGLGEIGFBEJA; ASPSESSIONIDQGQGGGFY=BMOHEPACLJJMELCFHBEFCBBD; ASPSESSIONIDQQGGGRRQ=CNHJPMIDEBILFGFHGCGPEGCI; WEBTRENDS_ID=193.115.251.70-3914068400.29327725; ASPSESSIONIDQGGGGGBT=FDIDFHDDAMJILFMMEEJPIEDE; ASPSESSIONIDGGGQGHXH=BJAIPMKAIPMCOJFMADGMFNPP; INTERSE=193.115.251.708596951688990940; IRATEsession=IRATEsession; ASPSESSIONIDGQQQQQCX=HKNBOCMCHGPGJBLJLFPNKKKP; ASPSESSIONIDQQQQGHWO=EAIJEAHABMMJJDBMGFNJIGOM; ASPSESSIONIDGGQQGGDJ=CDFEJIPAJHNMBHDKBJMGNAHJ; ASPSESSIONIDGGQQGQYE=BIMJFOBABACCIAJFGGHEDDJD; ASPSESSIONIDQGGQQGAA=MGABFFKCIEMGIJMFFBFMCNJE; ASPSESSIONIDGQQQQQDF=FKMHFFBDGFHEGGADBHLKEKNF; ASPSESSIONIDQGGQGQBW=NLBFOCHDIDAMKLCIHBNABNAK; ASPSESSIONIDGQGQQGYB=HPPNCNKBCCBBEGLGFHNHNMHO; ASPSESSIONID=TZVAUQXHIDUKUHJZ; ASPSESSIONIDQGGQGGAL=POJHNKICEIKIAAFLKGJLHDIG; AccipiterId=0023844a*Def; ASPSESSIONIDGQGQQGYT=NIFNNEBDCDNGAJJAGPDEFMKE; ASPSESSIONIDGQGGGGCJ=MGJDBPAABMPNNIGIBGJFILIO; EGSOFT_ID=193.115.251.70-4264881104.29327726; ASPSESSIONIDGGGGQGLR=PIBMCLHCOLJPBLCEDDNKEAJM; ASPSESSIONIDQGGQQQAC=LLBAHGKDKDKOMMPIHNKNCEDE; ASPSESSIONIDQQGGQQLP=JKKFGOGANPGACAMFGMPFCMIC; ASPSESSIONIDGQGGQQDC=KMELFLJDHDLPHAENJHNNDEDF; ASPSESSIONIDGQGQQQKN=NJPFHLKDOFDHOEGOFLLHIKMC; IPCLog=193%2E115%2E251%2E70%3A2%2F27%2F00; ASPSESSIONIDGGGQGGKX=PJLAEOLAAHAJLBDNHBPOCGJD; ASPSESSIONIDGQQGQGEX=NOOHJKACDNOIONIGAAPHDEEE; CFTOKEN=20375; CFID=1614275; NGUserID=d1433e1a-149-951689984-1; ASPSESSIONIDQQGQGHRB=EFCFIEIDPKPBFHJBKLABNJMB; TIG1=19310867oi951689482000; ASPSESSIONIDGGQQGQCB=LMGNAAKDEKIGDNOGHLDOFINL; ASPSESSIONIDQQGQQQAS=HNAAJDCDEMJIDMGJCANCJJCE; ASPSESSIONIDQGQQQQDD=MIPJKBIAGEBJHPCCHLOJNPKF; ASPSESSIONIDGGGGGQAX=GHCMEMICEEGABCHDLNMGAMHE; ASPSESSIONIDQQGQGHMK=BNFADACALOAPEAFLEPGAFBMC; ASPSESSIONIDQGQGQRPQ=AJKPPLMALHIEAGHEKJDKBDNM; ASPSE"
>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, you need]
[to include <ap...@Apache.Org> in the Cc line and make sure the]
[subject line starts with the report component and number, with ]
[or without any 'Re:' prefixes (such as "general/1098:" or ]
["Re: general/1098:"). If the subject doesn't match this ]
[pattern, your message will be misfiled and ignored. The ]
["apbugs" address is not added to the Cc line of messages from ]
[the database automatically because of the potential for mail ]
[loops. If you do not include this Cc, your reply may be ig- ]
[nored unless you are responding to an explicit request from a ]
[developer. Reply only with text; DO NOT SEND ATTACHMENTS! ]