Bug#244174: apache: bogus requests create oversized log entries with wrong error code

To: "Norbert Bottlaender-Prier" <norbert@globenet.org>, "Debian Bug Tracking System" <submit@bugs.debian.org>
Subject: Bug#244174: apache: bogus requests create oversized log entries with wrong error code
From: "Carl Johnstone" <carl.johnstone@gmgrd.co.uk>
Date: Mon, 19 Apr 2004 10:28:07 +0100
Message-id: <[🔎] CB7CFFB81937E3498D2DC1A738D2986703521415@EX1.gmnews.co.uk>
Reply-to: "Carl Johnstone" <carl.johnstone@gmgrd.co.uk>, 244174@bugs.debian.org

   
 
In case you're are not aware - what you are seeing are requests attempting to exploit a bug in IIS. The bug is a buffer overflow so needs a very long URI to case the buffer to overflow. It's easier for the script kiddies to just send the exploit code in a single request than to bother checking whether the server is IIS before sending the exploit code. Therefore those of us that run apache get the fallout from this.

> followed by 314 (URI too long)

My apache install returns a 414 - I assume that's a typo.

> 1) AFAIK there exists no "SEARCH" request in HTTP1.1, (a grep 
> for "SEARCH"
> in the specification text gives no exploitable results)

You may add your own methods to the HTTP protocol, so this in itself is not a bug or problem.

> 2) the log entries result in lots of mails sent to me 
> by my webalizer

That is a problem with your webalizer not correctly dealing with the log files apache provides.

> so, I think the error code should be 405 (method not allowed) 

That's what the HTTP specification states you should respond if you don't accept the protocol being requested. I would assume that the URL length check is done before the protocol check thus 414 is returned.

> and the log lines should stop there
> without repeating the whole bogus request.

This is apache logging the full requested URI exactly the same for any other request it receives. (Actually it would seem that apache only logs the buffered amount of it's URI.) Again this is not a bug in apache, it's behaving exactly as it is configured.

I can't see any bugs with apache, there's not much to choose between a 414 or a 405 error.

As a suggestion - most of the attempts to exploit flaws in web servers are sent to an IP withough any HTTP Host headers. I have a default VirtualHost which catches all these types of request and logs them separately from all my proper web sites.

Carl   
--------------------------------------------------------
GMG Regional Digital is part of the Guardian Media Group plc. 
 
 
  
 
CONFIDENTIALITY NOTICE. The information contained in this e-mail is intended only for norbert@globenet.org, submit@bugs.debian.org. It may contain privileged and confidential information that is exempt from disclosure by law and if you are not an intended recipient, you must not copy, distribute or take any action in reliance on it. If you have received this e-mail in error, you may notify our helpdesk by telephone on 44 (0)161 211 2222. E-mail transmission cannot be guaranteed to be secure or error-free. The sender (carl.johnstone@gmgrd.co.uk) therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version.

Reply to:

Follow-Ups:
- Re: Bug#244174: apache: bogus requests create oversized log entries with wrong error code
  - From: Fabio Massimo Di Nitto <fabbione@fabbione.net>

Prev by Date: Bug#244636: ssl-cert: Japanese po-debconf template translation (ja.po)
Next by Date: Invalid method in request
Previous by thread: Bug#244174: marked as done (apache: bogus requests create oversized log entries with wrong error code)
Next by thread: Re: Bug#244174: apache: bogus requests create oversized log entries with wrong error code
Index(es):
- Date
- Thread