Bug#253775: marked as done (libapache2-svn: logs incorrect data when faced with IIS WebDAV SEARCH attack)
Your message dated Fri, 17 Sep 2004 08:40:55 -0600
with message-id <E1C8Jux-0002ps-00@lucifer.0c3.net>
and subject line logs incorrect data when faced with IIS WebDAV SEARCH attack
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 11 Jun 2004 01:50:53 +0000
>From scott@scottstuff.net Thu Jun 10 18:50:53 2004
Return-path: <scott@scottstuff.net>
Received: from bdsl.66.12.153.218.gte.net (scottstuff.net) [66.12.153.218]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1BYbC1-0001Nx-00; Thu, 10 Jun 2004 18:50:53 -0700
Received: from localhost (localhost [127.0.0.1])
(uid 1000)
by scottstuff.net with local; Thu, 10 Jun 2004 18:50:49 -0700
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Scott Laird <scott@sigkill.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libapache2-svn: logs incorrect data when faced with IIS WebDAV SEARCH attack
X-Mailer: reportbug 2.61
Date: Thu, 10 Jun 2004 18:50:49 -0700
Message-ID: <courier.40C90FF9.000069FE@scottstuff.net>
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
Package: libapache2-svn
Version: 1.0.3-1
Severity: important
Tags: security sid
I get hit with at least one exploit attempt per day that consists of
an HTTP 'SEARCH' command followed by approximately 32k of overflow data.
Google suggests that this is an attempt to exploit a known IIS WebDAV
bug. Under normal circumstances, this wouldn't bother me, since I
wouldn't touch IIS with a ten-foot pole (and wouldn't submit Debian bugs
about it, even if I had a longer pole).
However, about half of the access log entries for exploit attempts
contain strings from my personal Subversion repository as part of the
logged HTTP SEARCH string. An example is available at
<http://scottstuff.net/misc/apache-log.txt>. The final 4k of the
logged string belongs to a file that is maintained via WebDAV and
Subversion. It contains personal details and clearly wasn't submitted
as part of the exploit. Therefore, there's probably an overflow
somewhere in Subversion or Apache 2, and this IIS exploit is causing
Apache/Subversion to misbehave, appending something from somewhere else
in memory onto the logged string.
Alternately, Apache could be truncating the logged string around 32k but
forgetting to append the trailing '\0', but I haven't seen any evidence
of this in a quick survey of the code.
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.25
Locale: LANG=C, LC_CTYPE=C
Versions of packages libapache2-svn depends on:
ii apache2-mpm-prefork [apache 2.0.49-1 Traditional model for Apache2
ii db4.2-util 4.2.52-10 Berkeley v4.2 Database Utilities
ii libc6 2.3.2.ds1-11 GNU C Library: Shared libraries an
ii libsvn0 1.0.3-1 Shared libraries used by Subversio
-- no debconf information
---------------------------------------
Received: (at 253775-done) by bugs.debian.org; 17 Sep 2004 14:40:56 +0000
>From adconrad@0c3.net Fri Sep 17 07:40:56 2004
Return-path: <adconrad@0c3.net>
Received: from s010600e029962405.cg.shawcable.net (lucifer.0c3.net) [68.147.203.152] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1C8Juy-0000FZ-00; Fri, 17 Sep 2004 07:40:56 -0700
Received: from adconrad by lucifer.0c3.net with local (Exim 3.36 #1 (Debian))
id 1C8Jux-0002ps-00
for <253775-done@bugs.debian.org>; Fri, 17 Sep 2004 08:40:55 -0600
To: 253775-done@bugs.debian.org
Subject: logs incorrect data when faced with IIS WebDAV SEARCH attack
Message-Id: <E1C8Jux-0002ps-00@lucifer.0c3.net>
From: Adam Conrad <adconrad@0c3.net>
Date: Fri, 17 Sep 2004 08:40:55 -0600
Delivered-To: 253775-done@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-2.0 required=4.0 tests=BAYES_01 autolearn=no
version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
This bug was fixed several upstream revisions back, and the off-by-one error introduced by the bugfix was fixed in 2.0.51, allowing this bug to finally be closed.
Reply to: