I see that Apache 2.0 does not convert an obfuscated URL into its canonical form. For example, with this URL: http://www.example.com/url/hack I see the Web page and the access log shows this: 10-05 07:41 "GET /url/hack HTTP/1.1" 200 With this obfuscated URL: http://www.example.com/%75%72%6C%2F%68%61%63%6B I get a 404 error page and the access log shows this: 10-05 07:41 "GET /%75%72%6C%2F%68%61%63%6B HTTP/1.1" 404 However, the error log does not log this 404 error with the default LogLevel. Two questions: 1. Why doesn't Apache log the error when other 404 errors are logged ? 2. I'm pleased that Apache doesn't convert obfuscated URLs into canonical form, but I'm wondering why attackers have success using obfuscated URLs when attacking Apache sites where the Web apps are written in PHP. I do not know or use PHP. Ed
begin:vcard fn:Ed Sawicki n:Sawicki;Ed org:Accelerated Learning Center adr:;;PO Box 780-B;Lake Oswego;OR;97034;US email;internet:ed@xxxxxxxxxxxx title:President tel;work:503-635-6370 x-mozilla-html:FALSE url:http://www.alcpress.com version:2.1 end:vcard
--------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|