Re: [expert] Fw: RE: Apache 1.3.x allows passthrough
On Wed, 13 Mar 2002 01:11:26 -0500 Pierre Fortin [EMAIL PROTECTED] wrote: On Tue, 12 Mar 2002 20:21:46 -0800 James [EMAIL PROTECTED] wrote: Pierre, I never doubted you. Just wondering how it was supposed to work when it's bad that is. To clear up turning off proxy, are you refering to removing the following line from httpd.conf? [snip] Yes; turned off pretty much all the proxy stuff here. If so have you tried this on port 8080 as well? My attempt to try it on mandrakesoft.com site just hung with no telnet established. I'm also curious if it's a perl thing or an apache thing that causes the problem. Since it seems that both can do the proxies. (seems to open up 8200 for perl but maybe I'm wrong.) telnet www.mandrakesoft.com 80 still allows proxying. Ports 8080 and 8200 connect; but ignore the GET... Ihaven't dug any deeper... I didn't even get the connect... but as strange as my nets been today I'm not suprised. If 8200 isn't working then the problem is not perl-httpd, or so I would think. Now for any who know, is this something that should be turned in to CERT? or what would be the procedure to follow? James Pierre Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Fw: RE: Apache 1.3.x allows passthrough
On Wed, 13 Mar 2002 00:48:26 -0800 James [EMAIL PROTECTED] wrote: I didn't even get the connect... but as strange as my nets been today I'm not suprised. If 8200 isn't working then the problem is not perl-httpd, or so I would think. Now for any who know, is this something that should be turned in to CERT? or what would be the procedure to follow? I reported it to CERT as soon as I discovered it; especially since CERT's server also allows proxying... :^) Pierre Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Fw: RE: Apache 1.3.x allows passthrough
On Wed, 13 Mar 2002 10:14:04 -0500 Pierre Fortin [EMAIL PROTECTED] wrote: On Wed, 13 Mar 2002 00:48:26 -0800 James [EMAIL PROTECTED] wrote: I didn't even get the connect... but as strange as my nets been today I'm not suprised. If 8200 isn't working then the problem is not perl-httpd, or so I would think. Now for any who know, is this something that should be turned in to CERT? or what would be the procedure to follow? I reported it to CERT as soon as I discovered it; especially since CERT's server also allows proxying... :^) Pierre Pierre, Now that is a coup discovering a vulnerabiltity in a CERT server. Kudos! James Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Fw: RE: Apache 1.3.x allows passthrough
James wrote: On Sun, 2002-03-10 at 20:26, Pierre Fortin wrote: Ooops... forgot to add that I needed to hit Return after sending the GET; so the full instructions are: telnet server 80 GET http://some_other_server HTTP/1.0 Return Without the extra return, the command just sits there as you discovered. Sorry for the oversight, Pierre On Sun, 10 Mar 2002 18:01:13 -0700 Ken Thompson [EMAIL PROTECTED] wrote: Pierre, Thankfully mine said connection refused. Mine 3 simply gave me the index.html page from the box I originally telneted into. Not from another server. James Just to save my sanity, what is the expected response from a telnet session into your web server's port? Like James, I get back my index.html when I run the GET blah..blah... Does someone know of some *good* documentation about this particular aspect of running a apache web sever? I have looked but found little on this topic (hint..hint..Pierre) Thanks, -- J. Craig Woods UNIX/NT Network/System Administration -Art is the illusion of spontaneity- Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Fw: RE: Apache 1.3.x allows passthrough
On Tue, 12 Mar 2002 13:33:00 -0600 J. Craig Woods [EMAIL PROTECTED] wrote: James wrote: On Sun, 2002-03-10 at 20:26, Pierre Fortin wrote: Ooops... forgot to add that I needed to hit Return after sending the GET; so the full instructions are: telnet server 80 GET http://some_other_server HTTP/1.0 Return Without the extra return, the command just sits there as you discovered. Sorry for the oversight, Pierre On Sun, 10 Mar 2002 18:01:13 -0700 Ken Thompson [EMAIL PROTECTED] wrote: Pierre, Thankfully mine said connection refused. Mine 3 simply gave me the index.html page from the box I originally telneted into. Not from another server. James Just to save my sanity, what is the expected response from a telnet session into your web server's port? Like James, I get back my index.html when I run the GET blah..blah... Does someone know of some *good* documentation about this particular aspect of running a apache web sever? I have looked but found little on this topic (hint..hint..Pierre) Let's not forget the reason I posted this... if your web server accepts the above command and serves a remote page, then it can be used by kiddies to get access to servers while making it seem all those requests are really coming from you. This is due to your server proxying... Give me your server and I'll see if I can use it to access other sites through it... :^) Here's an example of the problem where I connect to Mandrake and actually get a Cisco page: $ telnet www.mandrakesoft.com 80 Trying 63.209.80.236... Connected to www.mandrakesoft.com (63.209.80.236). Escape character is '^]'. get http://www.cisco.com HTTP/1.0 HTTP/1.0 200 OK Date: Tue, 12 Mar 2002 22:37:21 GMT Server: Apache/1.3.12 (Unix) Content-Type: text/html HTML HEAD [snipped much META stuff] TITLECisco Connection Online by Cisco Systems, Inc./TITLE [snipped rest of page] Turn off proxy in server to stop this... Pierre Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Fw: RE: Apache 1.3.x allows passthrough
On Tue, 12 Mar 2002 17:42:22 -0500
Pierre Fortin [EMAIL PROTECTED] wrote:
On Tue, 12 Mar 2002 13:33:00 -0600 J. Craig Woods [EMAIL PROTECTED]
wrote:
James wrote:
On Sun, 2002-03-10 at 20:26, Pierre Fortin wrote:
Ooops... forgot to add that I needed to hit Return after sending
the GET; so the full instructions are:
telnet server 80
GET http://some_other_server HTTP/1.0
Return
Without the extra return, the command just sits there as you
discovered.
Sorry for the oversight,
Pierre
On Sun, 10 Mar 2002 18:01:13 -0700 Ken Thompson [EMAIL PROTECTED]
wrote:
Pierre,
Thankfully mine said connection refused.
Mine 3 simply gave me the index.html page from the box I originally
telneted into. Not from another server.
James
Just to save my sanity, what is the expected response from a telnet
session into your web server's port? Like James, I get back my
index.html when I run the GET blah..blah... Does someone know of some
*good* documentation about this particular aspect of running a apache
web sever? I have looked but found little on this topic
(hint..hint..Pierre)
Let's not forget the reason I posted this... if your web server accepts
the above command and serves a remote page, then it can be used by kiddies
to get access to servers while making it seem all those requests are
really coming from you. This is due to your server proxying...
Give me your server and I'll see if I can use it to access other sites
through it... :^)
Here's an example of the problem where I connect to Mandrake and actually
get a Cisco page:
$ telnet www.mandrakesoft.com 80
Trying 63.209.80.236...
Connected to www.mandrakesoft.com (63.209.80.236).
Escape character is '^]'.
get http://www.cisco.com HTTP/1.0
HTTP/1.0 200 OK
Date: Tue, 12 Mar 2002 22:37:21 GMT
Server: Apache/1.3.12 (Unix)
Content-Type: text/html
HTML
HEAD
[snipped much META stuff]
TITLECisco Connection Online by Cisco Systems, Inc./TITLE
[snipped rest of page]
Turn off proxy in server to stop this...
Pierre
Pierre,
I never doubted you. Just wondering how it was supposed to work when it's bad
that is. To clear up turning off proxy, are you refering to removing the following
line from httpd.conf?
LoadModule proxy_module modules/libproxy.so
AddModule mod_proxy.c
Along with commenting out
### IP Address/Port and Proxied configuration section
###
# The APACHEPROXIED setting can be set in /etc/rc.d/init.d/httpd if you
# are using a proxy or accelerator, like the Apache-SGI or khttpd, so that
# the fast web server serves static content while Apache handles the
# cgi or php files
#BindAddress *
IfDefine !APACHEPROXIED
Port 80
Listen 80
/IfDefine
IfDefine APACHEPROXIED
Port 8080
Listen 8080
/IfDefine
# Likewise, we can set apache as the server by default and send perl
# requests via ProxyPass to apache-mod_perl. It increases performance
# since the perl interpreter is only used for perl and the standard apache
# does all the html and image files, with a smaller footprint.
# Likewise, we can set apache as the server by default and send perl
# requests via ProxyPass to apache-mod_perl. It increases performance
# since the perl interpreter is only used for perl and the standard apache
# does all the html and image files, with a smaller footprint.
#
# If you install apache and apache-mod_perl, this is the default config.
# If you don't want two web servers to use perl, uninstall apache, and
# apache-mod_perl will not be proxied.
IfDefine PERLPROXIED
RewriteEngine on
RewriteRule ^proxy:.* - [F]
RewriteRule ^(.*\/perl\/.*)$ http://%{HTTP_HOST}:8200$1 [P]
RewriteRule ^(.*\/cgi-perl\/.*)$ http://%{HTTP_HOST}:8200$1 [P]
/IfDefine
If so have you tried this on port 8080 as well? My attempt to try it on
mandrakesoft.com site just hung with no telnet established. I'm also curious if it's
a perl thing or an apache thing that causes the problem. Since it seems that both can
do the proxies. (seems to open up 8200 for perl but maybe I'm wrong.)
James
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
Re: [expert] Fw: RE: Apache 1.3.x allows passthrough
On Tue, 12 Mar 2002 20:21:46 -0800 James [EMAIL PROTECTED] wrote: Pierre, I never doubted you. Just wondering how it was supposed to work when it's bad that is. To clear up turning off proxy, are you refering to removing the following line from httpd.conf? [snip] Yes; turned off pretty much all the proxy stuff here. If so have you tried this on port 8080 as well? My attempt to try it on mandrakesoft.com site just hung with no telnet established. I'm also curious if it's a perl thing or an apache thing that causes the problem. Since it seems that both can do the proxies. (seems to open up 8200 for perl but maybe I'm wrong.) telnet www.mandrakesoft.com 80 still allows proxying. Ports 8080 and 8200 connect; but ignore the GET... Ihaven't dug any deeper... Pierre Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Fw: RE: Apache 1.3.x allows passthrough
On Sun, 2002-03-10 at 20:26, Pierre Fortin wrote: Ooops... forgot to add that I needed to hit Return after sending the GET; so the full instructions are: telnet server 80 GET http://some_other_server HTTP/1.0 Return Without the extra return, the command just sits there as you discovered. Sorry for the oversight, Pierre On Sun, 10 Mar 2002 18:01:13 -0700 Ken Thompson [EMAIL PROTECTED] wrote: Pierre, Thankfully mine said connection refused. -- daRcmaTTeR Registered Linux User 182496 Mandrake 8.2beta1 - 10:05am up 2 days, 18:52, 1 user, load average: 0.14, 0.32, 0.51 Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Fw: RE: Apache 1.3.x allows passthrough
The latest apache, 1.3.23, disables the passthrough feature by default -- I'm not sure about the 2.x series, since I've not used it. Michael -- Michael Viron [EMAIL PROTECTED] Database Administrator / Web Statistician Simple End User Linux At 09:18 AM 3/11/2002 -0500, you wrote: On Sun, 2002-03-10 at 20:26, Pierre Fortin wrote: Ooops... forgot to add that I needed to hit Return after sending the GET; so the full instructions are: telnet server 80 GET http://some_other_server HTTP/1.0 Return Without the extra return, the command just sits there as you discovered. Sorry for the oversight, Pierre On Sun, 10 Mar 2002 18:01:13 -0700 Ken Thompson [EMAIL PROTECTED] wrote: Pierre, Thankfully mine said connection refused. -- daRcmaTTeR Registered Linux User 182496 Mandrake 8.2beta1 - 10:05am up 2 days, 18:52, 1 user, load average: 0.14, 0.32, 0.51 Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Fw: RE: Apache 1.3.x allows passthrough
On Mon, 11 Mar 2002 16:31:24 -0600 Michael Viron [EMAIL PROTECTED] wrote: The latest apache, 1.3.23, disables the passthrough feature by default -- I'm not sure about the 2.x series, since I've not used it. When I found this, I checked the www.apache.org (2.0.32) and it was either correctly configured, or otherwise preventing proxying. www.mandrakesoft.com and www.linux-mandrake.com still allow this... Pierre Michael -- Michael Viron [EMAIL PROTECTED] Database Administrator / Web Statistician Simple End User Linux At 09:18 AM 3/11/2002 -0500, you wrote: On Sun, 2002-03-10 at 20:26, Pierre Fortin wrote: Ooops... forgot to add that I needed to hit Return after sending the GET; so the full instructions are: telnet server 80 GET http://some_other_server HTTP/1.0 Return Without the extra return, the command just sits there as you discovered. Sorry for the oversight, Pierre On Sun, 10 Mar 2002 18:01:13 -0700 Ken Thompson [EMAIL PROTECTED] wrote: Pierre, Thankfully mine said connection refused. -- daRcmaTTeR Registered Linux User 182496 Mandrake 8.2beta1 - 10:05am up 2 days, 18:52, 1 user, load average: 0.14, 0.32, 0.51 Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Fw: RE: Apache 1.3.x allows passthrough
On 11 Mar 2002 09:18:58 -0500 Mark Weaver [EMAIL PROTECTED] wrote: On Sun, 2002-03-10 at 20:26, Pierre Fortin wrote: Ooops... forgot to add that I needed to hit Return after sending the GET; so the full instructions are: telnet server 80 GET http://some_other_server HTTP/1.0 Return Without the extra return, the command just sits there as you discovered. Sorry for the oversight, Pierre On Sun, 10 Mar 2002 18:01:13 -0700 Ken Thompson [EMAIL PROTECTED] wrote: Pierre, Thankfully mine said connection refused. Mine 3 simply gave me the index.html page from the box I originally telneted into. Not from another server. James -- daRcmaTTeR Registered Linux User 182496 Mandrake 8.2beta1 - 10:05am up 2 days, 18:52, 1 user, load average: 0.14, 0.32, 0.51 Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Fw: RE: Apache 1.3.x allows passthrough
Pierre, When I do that I get the html from this server then the connection is closed by forign host Before the GET command, nothing, just sits there waiting for input. But, it doesn't get any info from the server I tried, www.foo.com format.. On Sunday 10 March 2002 05:41 pm, you wrote: FYI... I found a scumbag using my web server to hide behind while [s]he accessed other servers. Mandrake: your server is also configured to allow these passthrough requests! To test your server, issue these comamds: telnet server 80 GET http://some_other_server HTTP/1.0 If you get the output from some_other_server, server is allowing passthrough (proxy) connections. HTH, Pierre Begin forwarded message: Date: Sun, 10 Mar 2002 12:26:17 -0800 From: Ian Holsman [EMAIL PROTECTED] To: '[EMAIL PROTECTED]' [EMAIL PROTECTED], '[EMAIL PROTECTED]' [EMAIL PROTECTED] Subject: RE: 1.3.x allows passthrough -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Pierre try disabling your proxy look for a line like LoadModule proxy_module modules/ and comment it out by placing a '#' in front of it also turn 'ProxyRequests' to OFF (this is around line 988 on my config file) -Original Message- From: Pierre Fortin [mailto:[EMAIL PROTECTED]] Sent: Sunday, March 10, 2002 7:55 AM To: [EMAIL PROTECTED] Subject: 1.3.x allows passthrough [Also reported to CERT since they have the same exposure; see below] I was monitoring my DSL link when I noticed some strange HTTP requests to my web site... someone was using my server to hide behind by formatting requests like this: GET http://somesite.domain/page HTTP/1.0 which caused my 1.3.20 to acquire and serve the requested remote page. To see if I was alone, I tried this on www.apache.org (2.0.32) which rejects this type of request, though I'm not sure if it is by design. I also tried such a query to www.cert.org and it *did* serve up a remote page. Hopefully there is at least a workaround... Pierre Fortin -- Ken Thompson, North West Antique Autos Payette, Idaho Email: [EMAIL PROTECTED] http://www.nwaa.com Sales and brokering of antique autos and parts. Linux- Coming Soon To A Desktop Near You Registered Linux User #183936 Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Fw: RE: Apache 1.3.x allows passthrough
Ooops... forgot to add that I needed to hit Return after sending the GET; so the full instructions are: telnet server 80 GET http://some_other_server HTTP/1.0 Return Without the extra return, the command just sits there as you discovered. Sorry for the oversight, Pierre On Sun, 10 Mar 2002 18:01:13 -0700 Ken Thompson [EMAIL PROTECTED] wrote: Pierre, When I do that I get the html from this server then the connection is closed by forign host Before the GET command, nothing, just sits there waiting for input. But, it doesn't get any info from the server I tried, www.foo.com format.. On Sunday 10 March 2002 05:41 pm, you wrote: FYI... I found a scumbag using my web server to hide behind while [s]he accessed other servers. Mandrake: your server is also configured to allow these passthrough requests! To test your server, issue these comamds: telnet server 80 GET http://some_other_server HTTP/1.0 If you get the output from some_other_server, server is allowing passthrough (proxy) connections. HTH, Pierre Begin forwarded message: Date: Sun, 10 Mar 2002 12:26:17 -0800 From: Ian Holsman [EMAIL PROTECTED] To: '[EMAIL PROTECTED]' [EMAIL PROTECTED], '[EMAIL PROTECTED]'[EMAIL PROTECTED] Subject: RE: 1.3.x allows passthrough -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Pierre try disabling your proxy look for a line like LoadModule proxy_module modules/ and comment it out by placing a '#' in front of it also turn 'ProxyRequests' to OFF (this is around line 988 on my config file) -Original Message- From: Pierre Fortin [mailto:[EMAIL PROTECTED]] Sent: Sunday, March 10, 2002 7:55 AM To: [EMAIL PROTECTED] Subject: 1.3.x allows passthrough [Also reported to CERT since they have the same exposure; see below] I was monitoring my DSL link when I noticed some strange HTTP requests to my web site... someone was using my server to hide behind by formatting requests like this: GET http://somesite.domain/page HTTP/1.0 which caused my 1.3.20 to acquire and serve the requested remote page. To see if I was alone, I tried this on www.apache.org (2.0.32) which rejects this type of request, though I'm not sure if it is by design. I also tried such a query to www.cert.org and it *did* serve up a remote page. Hopefully there is at least a workaround... Pierre Fortin -- Ken Thompson, North West Antique Autos Payette, Idaho Email: [EMAIL PROTECTED] http://www.nwaa.com Sales and brokering of antique autos and parts. Linux- Coming Soon To A Desktop Near You Registered Linux User #183936 Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
