Apache logging vulnerability?
Results 1 to 7 of 7

Thread: Apache logging vulnerability?

  1. #1
    Elite Hacker
    Join Date
    Mar 2003
    Posts
    1,407

    Apache logging vulnerability?

    Here's a little background. A long time ago I was going through my apache access_log and noticed a few entries where someone was trying to do some sort of exploit, and basically they were sending a ton of data in the GET request. That's normal and happens all the time. The weird thing was that at the end of the data I would see PHP code from my site. At the time I didn't know what to think of it, I just knew it wasn't good. Thinking about it now, it seems like it was most likely a heap overflow and the log buffer was overflowing into memory containing PHP code. When I first started this post I was thinking there may have been a way to replace the php code with your own, which is definitely not good and would allow you to do any number of things. Thinking about it now though, I'm thinking it's just code hanging around in memory from previous requests where the memory has been freed, but not overwritten. So when I started this post I was excited and thought it would be cool to try and replace the code, but now I'm not so sure that would do anything, but it still seems bad.

    Anyways, I think this was apache 2.0.54 or 2.0.55, but I'm not sure. Is anyone running either of these with PHP? If so, can you check your logs and let me know if you see anything like this? I'd like to figure out which version it was and download it just to mess with it further. This was on a Linux machine, so I'm not sure the same thing would happen on a Windows machine. I'm running the 2.2 line now and I've never noticed anything like this. Thank you.

  2. #2
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    I do recall some issues with the logger some time ago.. I'll see if I can dig something up..

    Damn.. That was quick.. This looks like a prime candidate...

    http://www.securityfocus.com/bid/9930
    Last edited by SirDice; October 4th, 2007 at 05:55 PM.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  3. #3
    Elite Hacker
    Join Date
    Mar 2003
    Posts
    1,407
    I'm not sure if that's it or not. I was just thinking you could do something like:
    Code:
    GET /index.php?OVERFLOWOVERFLOWOVERFLOWOVERFLOWOVERFLOW<?php session_start(); $_SESSION['username']='admin';...
    I wanted to try it out. Maybe I'll just randomly install Apache and try things until it works on a version. We'll see . Thanks.

  4. #4
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Have you tried sending the data in your logs to your webserver to see what happens?
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  5. #5
    Elite Hacker
    Join Date
    Mar 2003
    Posts
    1,407
    Nope. I don't have the data. I'll probably just try installing older versions of Apache and throwing long strings of data at it until I get results.

  6. #6
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Ahh you said:

    they were sending a ton of data in the GET request.
    If that is the case then the data sent should be in the log file...or at least part of it...I'm assuming was maybe actually a POST (in which case it wouldn't)?
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  7. #7
    Elite Hacker
    Join Date
    Mar 2003
    Posts
    1,407
    It was in my log file, but years ago. I've reinstalled the OS and installed different apache httpd versions since then. For some reason though, something recently made me think of it. I'm hoping it works on windows too because I just installed some new virtualization software that I can install the apache server into, test it, then completely wipe all traces of the installation with. Pretty cool software. Thanks.

Similar Threads

  1. Browser Security Test
    By therenegade in forum Web Security
    Replies: 13
    Last Post: April 1st, 2005, 09:03 AM
  2. Installing Apache and PHP on Linux
    By HDD in forum Other Tutorials Forum
    Replies: 2
    Last Post: February 1st, 2004, 08:05 PM
  3. DoS Vulnerability - Apache 2.x
    By Maverick811 in forum Web Security
    Replies: 4
    Last Post: May 31st, 2003, 12:04 AM
  4. NEWS: SANS Critical Vulnerability Report
    By xmaddness in forum Miscellaneous Security Discussions
    Replies: 0
    Last Post: January 28th, 2003, 09:12 PM
  5. Vulnerability: Apache HTTP Server Remote Compromise
    By s0nIc in forum *nix Security Discussions
    Replies: 22
    Last Post: June 20th, 2002, 04:47 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •