-
October 4th, 2007, 03:38 PM
#1
Apache logging vulnerability?
Here's a little background. A long time ago I was going through my apache access_log and noticed a few entries where someone was trying to do some sort of exploit, and basically they were sending a ton of data in the GET request. That's normal and happens all the time. The weird thing was that at the end of the data I would see PHP code from my site. At the time I didn't know what to think of it, I just knew it wasn't good. Thinking about it now, it seems like it was most likely a heap overflow and the log buffer was overflowing into memory containing PHP code. When I first started this post I was thinking there may have been a way to replace the php code with your own, which is definitely not good and would allow you to do any number of things. Thinking about it now though, I'm thinking it's just code hanging around in memory from previous requests where the memory has been freed, but not overwritten. So when I started this post I was excited and thought it would be cool to try and replace the code, but now I'm not so sure that would do anything, but it still seems bad.
Anyways, I think this was apache 2.0.54 or 2.0.55, but I'm not sure. Is anyone running either of these with PHP? If so, can you check your logs and let me know if you see anything like this? I'd like to figure out which version it was and download it just to mess with it further. This was on a Linux machine, so I'm not sure the same thing would happen on a Windows machine. I'm running the 2.2 line now and I've never noticed anything like this. Thank you.
-
October 4th, 2007, 04:52 PM
#2
I do recall some issues with the logger some time ago.. I'll see if I can dig something up..
Damn.. That was quick.. This looks like a prime candidate...
http://www.securityfocus.com/bid/9930
Last edited by SirDice; October 4th, 2007 at 04:55 PM.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
October 4th, 2007, 06:35 PM
#3
I'm not sure if that's it or not. I was just thinking you could do something like:
Code:
GET /index.php?OVERFLOWOVERFLOWOVERFLOWOVERFLOWOVERFLOW<?php session_start(); $_SESSION['username']='admin';...
I wanted to try it out. Maybe I'll just randomly install Apache and try things until it works on a version. We'll see . Thanks.
-
October 4th, 2007, 07:25 PM
#4
Have you tried sending the data in your logs to your webserver to see what happens?
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
-
October 4th, 2007, 08:10 PM
#5
Nope. I don't have the data. I'll probably just try installing older versions of Apache and throwing long strings of data at it until I get results.
-
October 4th, 2007, 10:45 PM
#6
Ahh you said:
they were sending a ton of data in the GET request.
If that is the case then the data sent should be in the log file...or at least part of it...I'm assuming was maybe actually a POST (in which case it wouldn't)?
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
-
October 5th, 2007, 03:36 PM
#7
It was in my log file, but years ago. I've reinstalled the OS and installed different apache httpd versions since then. For some reason though, something recently made me think of it. I'm hoping it works on windows too because I just installed some new virtualization software that I can install the apache server into, test it, then completely wipe all traces of the installation with. Pretty cool software. Thanks.
Similar Threads
-
By therenegade in forum Web Security
Replies: 13
Last Post: April 1st, 2005, 09:03 AM
-
By HDD in forum Other Tutorials Forum
Replies: 2
Last Post: February 1st, 2004, 08:05 PM
-
By Maverick811 in forum Web Security
Replies: 4
Last Post: May 30th, 2003, 11:04 PM
-
By xmaddness in forum Miscellaneous Security Discussions
Replies: 0
Last Post: January 28th, 2003, 09:12 PM
-
By s0nIc in forum *nix Security Discussions
Replies: 22
Last Post: June 20th, 2002, 03:47 AM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|