Re: SEARCH attack

To: debian-isp@lists.debian.org
Subject: Re: SEARCH attack
From: "J.H.M. Dassen (Ray)" <fsmla@xinara.org>
Date: Mon, 7 Jun 2004 15:36:29 +0200
Message-id: <[🔎] 20040607133629.GA26648@xinara.org>
Mail-followup-to: debian-isp@lists.debian.org
In-reply-to: <[🔎] 003601c44c73$ced370d0$0d01a8c0@kormar.net>
References: <[🔎] 003601c44c73$ced370d0$0d01a8c0@kormar.net>

On Mon, Jun 07, 2004 at 11:42:53 +0200, Robert Cates wrote:
> I hoping somebody can both fill me in on what this SEARCH is all about,

SEARCH is documented in
http://greenbytes.de/tech/webdav/draft-reschke-webdav-search-latest.html#rfc.section.2
It is a part of an internet draft extending the WebDAV protocol
(http://www.webdav.org) which extends HTTP with features suitable for
authoring and versioning.

> and what I can/should do to stop it:
> 
> Every so often I find a very long request in my Apache access logs that
> seems to be an attempted SEARCH ("SEARCH /\x90\x02\xb1\x02\xb1\x02\ ...").
> 
> 1).  Is this a security problem (on a Linux server)?

Judging by http://www.snort.org/snort-db/sid.html?sid=1070 it is only
really relevant for IIS servers.

> 2).  If so, how can I stop this?  I tried to stop it using a <Limit SEARCH>,
> but a configtest told me that "SEARCH" was an undefined or unknown method.

Your server doesn't implement the SEARCH method, so the attempted overflow
fails.

HTH,
Ray
-- 
LWN normally tries to avoid talking much about Microsoft - it is simply
irrelevant to the free software world most of the time.
	http://www.lwn.net/2000/0406/

Reply to:

References:
- SEARCH attack
  - From: "Robert Cates" <robert@kormar.de>

Prev by Date: Re: SEARCH attack
Next by Date: Re: SEARCH attack
Previous by thread: Re: SEARCH attack
Next by thread: RE: SEARCH attack
Index(es):
- Date
- Thread