[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: SEARCH attack

On Mon, Jun 07, 2004 at 11:42:53 +0200, Robert Cates wrote:
> I hoping somebody can both fill me in on what this SEARCH is all about,

SEARCH is documented in
It is a part of an internet draft extending the WebDAV protocol
(http://www.webdav.org) which extends HTTP with features suitable for
authoring and versioning.

> and what I can/should do to stop it:
> Every so often I find a very long request in my Apache access logs that
> seems to be an attempted SEARCH ("SEARCH /\x90\x02\xb1\x02\xb1\x02\ ...").
> 1).  Is this a security problem (on a Linux server)?

Judging by http://www.snort.org/snort-db/sid.html?sid=1070 it is only
really relevant for IIS servers.

> 2).  If so, how can I stop this?  I tried to stop it using a <Limit SEARCH>,
> but a configtest told me that "SEARCH" was an undefined or unknown method.

Your server doesn't implement the SEARCH method, so the attempted overflow

LWN normally tries to avoid talking much about Microsoft - it is simply
irrelevant to the free software world most of the time.

Reply to: