httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ed Sawicki ...@alcpress.com>
Subject [users@httpd] Apache/PHP and obfuscated URLs
Date Thu, 05 Oct 2006 16:39:03 GMT
I see that Apache 2.0 does not convert an obfuscated URL
into its canonical form. For example, with this URL:

http://www.example.com/url/hack

I see the Web page and the access log shows this:

10-05 07:41 "GET /url/hack HTTP/1.1" 200


With this obfuscated URL:

http://www.example.com/%75%72%6C%2F%68%61%63%6B

I get a 404 error page and the access log shows this:

10-05 07:41 "GET /%75%72%6C%2F%68%61%63%6B HTTP/1.1" 404

However, the error log does not log this 404 error with
the default LogLevel.

Two questions:

1. Why doesn't Apache log the error when other 404 errors are
logged ?

2. I'm pleased that Apache doesn't convert obfuscated URLs
into canonical form, but I'm wondering why attackers have
success using obfuscated URLs when attacking Apache sites
where the Web apps are written in PHP. I do not know or use
PHP.

Ed

Mime
View raw message