Re: SEARCH attack
On Mon, Jun 07, 2004 at 11:42:53 +0200, Robert Cates wrote:
> I hoping somebody can both fill me in on what this SEARCH is all about,
SEARCH is documented in
http://greenbytes.de/tech/webdav/draft-reschke-webdav-search-latest.html#rfc.section.2
It is a part of an internet draft extending the WebDAV protocol
(http://www.webdav.org) which extends HTTP with features suitable for
authoring and versioning.
> and what I can/should do to stop it:
>
> Every so often I find a very long request in my Apache access logs that
> seems to be an attempted SEARCH ("SEARCH /\x90\x02\xb1\x02\xb1\x02\ ...").
>
> 1). Is this a security problem (on a Linux server)?
Judging by http://www.snort.org/snort-db/sid.html?sid=1070 it is only
really relevant for IIS servers.
> 2). If so, how can I stop this? I tried to stop it using a <Limit SEARCH>,
> but a configtest told me that "SEARCH" was an undefined or unknown method.
Your server doesn't implement the SEARCH method, so the attempted overflow
fails.
HTH,
Ray
--
LWN normally tries to avoid talking much about Microsoft - it is simply
irrelevant to the free software world most of the time.
http://www.lwn.net/2000/0406/
Reply to: