Bug#244174: marked as done (apache: bogus requests create oversized log entries with wrong error code)
Your message dated Wed, 21 Apr 2004 10:37:31 +0200 (CEST)
with message-id <[🔎] Pine.LNX.4.58.0404211035470.26958@trider-g7.ext.fabbione.net>
and subject line Bug#244174: apache: bogus requests create oversized log entries with wrong error code
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 17 Apr 2004 05:41:11 +0000
>From norbert@tmtm.homelinux.org Fri Apr 16 22:41:11 2004
Return-path: <norbert@tmtm.homelinux.org>
Received: from smtp4.wanadoo.fr (mwinf0404.wanadoo.fr) [193.252.22.27]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1BEiZj-00045k-00; Fri, 16 Apr 2004 22:41:11 -0700
Received: from debian-p166.saint-ouen.ville (AAubervilliers-101-1-4-77.w217-128.abo.wanadoo.fr [217.128.23.77])
by mwinf0404.wanadoo.fr (SMTP Server) with ESMTP
id EDF5138000DD; Sat, 17 Apr 2004 07:40:39 +0200 (CEST)
Received: from norbert by debian-p166.saint-ouen.ville with local (Exim 4.30 #1 (Debian))
id 1BEiZC-0001qR-97; Sat, 17 Apr 2004 07:40:38 +0200
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Norbert Bottlaender-Prier <norbert@globenet.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: apache: bogus requests create oversized log entries with wrong error code
X-Mailer: reportbug 2.56
Date: Sat, 17 Apr 2004 07:40:38 +0200
Message-Id: <[🔎] E1BEiZC-0001qR-97@debian-p166.saint-ouen.ville>
Sender: Norbert Bottlaender-Prier <norbert@tmtm.homelinux.org>
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-7.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
X-CrossAssassin-Score: 1
Package: apache
Version: 1.3.29.0.2-4
Severity: normal
I receive many requests looking like "SEARCH /\x90\x02\...." etc. often with
dozens of kB in length. these result in log lines containing apparently the
WHOLE request, followed by 314 (URI too long) and a number of bytes sent in
reply BUT:
1) AFAIK there exists no "SEARCH" request in HTTP1.1, (a grep for "SEARCH"
in the specification text gives no exploitable results)
2) the log entries result in lots of mails sent to me (exactly 48 a day, once
each time the analyzer is running) by my webalizer (analysis of access.log file
in order to produce web statistics) program (these log entries are treated as
errors, which is probably right, and only suppressing ALL error messages would
prevent their apparition)
so, I think the error code should be 405 (method not allowed) or eventually
400 (Bad request), or another 4xx code, and the log lines should stop there
without repeating the whole bogus request.
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i586)
Kernel: Linux 2.4.18-bf2.4
Locale: LANG=fr_FR@euro, LC_CTYPE=fr_FR@euro
Versions of packages apache depends on:
ii apache-common 1.3.29.0.2-4 Support files for all Apache webse
ii debconf 1.3.22 Debian configuration management sy
ii dpkg 1.10.18 Package maintenance system for Deb
ii libc6 2.3.2.ds1-10 GNU C Library: Shared libraries an
ii libdb4.2 4.2.52-3 Berkeley v4.2 Database Libraries [
ii libexpat1 1.95.6-6 XML parsing C library - runtime li
ii libmagic1 4.06-2 File type determination library us
ii libpam0g 0.76-14.1 Pluggable Authentication Modules l
ii logrotate 3.6.5-2 Log rotation utility
ii mime-support 3.23-1 MIME files 'mime.types' & 'mailcap
ii perl 5.8.3-3 Larry Wall's Practical Extraction
-- debconf information:
* apache/enable-suexec: false
* apache/server-name: tmtm.homelinux.org
* apache/document-root: /var/www
* apache/server-port: 80
* apache/init: true
* apache/server-admin: norbert@tmtm.homelinux.org
---------------------------------------
Received: (at 244174-done) by bugs.debian.org; 21 Apr 2004 08:37:33 +0000
>From fabbione@fabbione.net Wed Apr 21 01:37:33 2004
Return-path: <fabbione@fabbione.net>
Received: from port5.ds1-sby.adsl.cybercity.dk (trider-g7.fabbione.net) [212.242.169.198]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1BGDEb-0008Ss-00; Wed, 21 Apr 2004 01:37:33 -0700
Received: from trider-g7.ext.fabbione.net (port5.ds1-sby.adsl.cybercity.dk [212.242.169.198])
by trider-g7.fabbione.net (Postfix) with ESMTP
id AA8D817; Wed, 21 Apr 2004 10:37:31 +0200 (CEST)
Date: Wed, 21 Apr 2004 10:37:31 +0200 (CEST)
From: Fabio Massimo Di Nitto <fabbione@fabbione.net>
Sender: fabbione@fabbione.net
To: Carl Johnstone <carl.johnstone@gmgrd.co.uk>,
244174-done@bugs.debian.org
Cc: Norbert Bottlaender-Prier <norbert@globenet.org>,
Debian Apache Maintainers <debian-apache@lists.debian.org>
Subject: Re: Bug#244174: apache: bogus requests create oversized log entries
with wrong error code
In-Reply-To: <[🔎] CB7CFFB81937E3498D2DC1A738D2986703521415@EX1.gmnews.co.uk>
Message-ID: <[🔎] Pine.LNX.4.58.0404211035470.26958@trider-g7.ext.fabbione.net>
References: <[🔎] CB7CFFB81937E3498D2DC1A738D2986703521415@EX1.gmnews.co.uk>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Delivered-To: 244174-done@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-5.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
X-CrossAssassin-Score: 1
Hi Carl,
On Mon, 19 Apr 2004, Carl Johnstone wrote:
> > followed by 314 (URI too long)
>
> My apache install returns a 414 - I assume that's a typo.
>
> > 1) AFAIK there exists no "SEARCH" request in HTTP1.1, (a grep for
> > "SEARCH" in the specification text gives no exploitable results)
>
> You may add your own methods to the HTTP protocol, so this in itself is
> not a bug or problem.
>
> > 2) the log entries result in lots of mails sent to me by my webalizer
>
> That is a problem with your webalizer not correctly dealing with the log
> files apache provides.
>
> > so, I think the error code should be 405 (method not allowed)
>
> That's what the HTTP specification states you should respond if you
> don't accept the protocol being requested. I would assume that the URL
> length check is done before the protocol check thus 414 is returned.
>
> > and the log lines should stop there without repeating the whole bogus
> > request.
>
> This is apache logging the full requested URI exactly the same for any
> other request it receives. (Actually it would seem that apache only logs
> the buffered amount of it's URI.) Again this is not a bug in apache,
> it's behaving exactly as it is configured.
>
> I can't see any bugs with apache, there's not much to choose between a
> 414 or a 405 error.
>
> As a suggestion - most of the attempts to exploit flaws in web servers
> are sent to an IP withough any HTTP Host headers. I have a default
> VirtualHost which catches all these types of request and logs them
> separately from all my proper web sites.
Thanks a lot for your deep analysis. I am closing this bug since i can't
see any point where apache is behaving incorrectly.
Fabio
--
<user> fajita: step one
<fajita> Whatever the problem, step one is always to look in the error log.
<user> fajita: step two
<fajita> When in danger or in doubt, step two is to scream and shout.
Reply to: