In this case I agree this is a solution. If Apache wouldn't accept any 'separators' then XSS (and other stuff) wouldn't be possible at all. Is there anywhere described which chars can be used in protocol "field"? Regards Michal.
On 4/24/07, Richard Moore <[EMAIL PROTECTED]> wrote: > Michal Majchrowicz wrote: > > Okay so let's assume that there cany "anything" as the request. But > > there has to be something that handles this request? If there is no > > "handler" for request "<script>" Apache should return error page. And > > what about protocol version? You didn't answer this question. > > Regards Michal. > > The handler here is your script - there's no way for apache to > know what your script does. It is the responsibility of the script > to raise an error in this case. > > To be precise the HTTP specification (RFC 2616) says a method is: > > Method = "OPTIONS" ; Section 9.2 > | "GET" ; Section 9.3 > | "HEAD" ; Section 9.4 > | "POST" ; Section 9.5 > | "PUT" ; Section 9.6 > | "DELETE" ; Section 9.7 > | "TRACE" ; Section 9.8 > | "CONNECT" ; Section 9.9 > | extension-method > extension-method = token > > Now, token is defined by these productions: > > token = 1*<any CHAR except CTLs or separators> > > CHAR = <any US-ASCII character (octets 0 - 127)> > > separators = "(" | ")" | "<" | ">" | "@" > | "," | ";" | ":" | "\" | <"> > | "/" | "[" | "]" | "?" | "=" > | "{" | "}" | SP | HT > > CTL = <any US-ASCII control character > (octets 0 - 31) and DEL (127)> > > So that implies that Apache is being slightly lax in passing arbitrary > content. However, there is no fixed list of valid methods as you can > define your own as an extension-method. This is used by a number of > protocols. Apache should probably raise an error if the method > contains characters outside these defined productions. > > Cheers > > Rich. > > > > > > On 4/24/07, Richard Moore <[EMAIL PROTECTED]> wrote: > >> Michal Majchrowicz wrote: > >> > Hi. > >> > I think that server should have a list of valid requests. In fact > >> > Apache warns you sometimes that valid requests are: > >> > "GET/POST/TRACE/OPTIONS". The solution that it just accepts everything > >> > as request and protocol makes no sense. What kind of protocol is > >> > >> It makes lots of sense as I said - protocols like WebDAV are > >> layered on top of HTTP and are implemented in apache using the > >> exact same API as PHP uses. They need to add methods like PROPFIND > >> etc. Unless they are required to define the exact set of verbs > >> supported by every page then there's no way to define a fixed > >> list. > >> > >> I do however agree that it could be restricted to something like > >> [A-Z0-9]+ as I said. > >> > >> Cheers > >> > >> Rich. > >> > >> > "<script>"? > >> > Regards Michal. > >> > > >> > On 4/24/07, Richard Moore <[EMAIL PROTECTED]> wrote: > >> >> Michal Majchrowicz wrote: > >> >> > Hi. > >> >> > I think now we can classify this as flaw in Apache. It accepts > >> >> > requests that simply make no sense. Take a look at this example: > >> >> > <script>alert(document.cookie);</script> /test.php > >> >> > <script>alert(document.cookie);</script> > >> >> > In some circumstances it may cause XSS vulnerability: > >> >> > <?php > >> >> > echo $_SERVER['REQUEST_METHOD']; > >> >> > echo $_SERVER['SERVER_PROTOCOL']; > >> >> > ?> > >> >> > >> >> As Kradorex Xeron said, that's a flaw in the script. Apache needs > >> >> to let arbitrary verbs through to the PHP (or other server extension) > >> >> otherwise tools like webdav that require additional verbs could not > >> >> be implemented. It is possibly arguable that it should restrict the > >> >> verbs to a single alphanumeric string, but it certainly can't be > >> >> counted on to be just GET/POST etc. > >> >> > >> >> Cheers > >> >> > >> >> Rich. > >> >> > >> >> > I am now investigating other possible attacks. > >> >> > Regards Michal Majchrowicz. > >> >> > > >> >> > _______________________________________________ > >> >> > Full-Disclosure - We believe in it. > >> >> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > >> >> > Hosted and sponsored by Secunia - http://secunia.com/ > >> >> > > >> >> > > >> >> > >> >> > >> >> -- > >> >> Richard Moore, Principal Software Engineer, > >> >> Westpoint Ltd, > >> >> Albion Wharf, 19 Albion Street, Manchester, M1 5LN, England > >> >> Tel: +44 161 237 1028 > >> >> Fax: +44 161 237 1031 > >> >> > >> > > >> > > >> > >> > >> -- > >> Richard Moore, Principal Software Engineer, > >> Westpoint Ltd, > >> Albion Wharf, 19 Albion Street, Manchester, M1 5LN, England > >> Tel: +44 161 237 1028 > >> Fax: +44 161 237 1031 > >> > > > > > > > -- > Richard Moore, Principal Software Engineer, > Westpoint Ltd, > Albion Wharf, 19 Albion Street, Manchester, M1 5LN, England > Tel: +44 161 237 1028 > Fax: +44 161 237 1031 > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/