httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ed Sawicki ...@alcpress.com>
Subject Re: [users@httpd] Apache/PHP and obfuscated URLs
Date Thu, 05 Oct 2006 20:55:34 GMT
Joshua Slive wrote:
> On 10/5/06, Ed Sawicki <ed@alcpress.com> wrote:
>> I see that Apache 2.0 does not convert an obfuscated URL
>> into its canonical form. For example, with this URL:
>>
>> http://www.example.com/url/hack
>>
>> I see the Web page and the access log shows this:
>>
>> 10-05 07:41 "GET /url/hack HTTP/1.1" 200
>>
>>
>> With this obfuscated URL:
>>
>> http://www.example.com/%75%72%6C%2F%68%61%63%6B
>>
>> I get a 404 error page and the access log shows this:
>>
>> 10-05 07:41 "GET /%75%72%6C%2F%68%61%63%6B HTTP/1.1" 404
>>
>> However, the error log does not log this 404 error with
>> the default LogLevel.
>>
>> Two questions:
>>
>> 1. Why doesn't Apache log the error when other 404 errors are
>> logged ?
>>
>> 2. I'm pleased that Apache doesn't convert obfuscated URLs
>> into canonical form, but I'm wondering why attackers have
>> success using obfuscated URLs when attacking Apache sites
>> where the Web apps are written in PHP. I do not know or use
>> PHP.
> 
> That URL is actually a special case because it contains an encoded
> slash, which is considered an especially dangerous item.  See the
> AllowEncodedSlash directive.  It should get logged anyway.  If you can
> show that it isn't getting to the error log in 2.2, then you should
> report it as a bug.
> 
> Joshua.

Thanks for your response.

If I set AllowEncodedSlashs On, the request still results in a
404 message because of the other obfuscated characters. I'll
try Apache version 2.2 later. As I said earlier, I'm happy that
Apache behaves this way but I'd like to know why Apache/PHP sites
are so vulnerable to attacks that use obfuscation.

Ed

Mime
View raw message