Re: Deny CONNECT & GET http requests (BIG Security Hole??)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Guys,
 
I am very interested in what you are talking about. Especially the CONNECT/POST discussion. I have what I believe is a spammer doing the CONNECT/POST and getting a status 200 from apache. Is this truely a php issue? Should I drop using php? Do you both agree and the apache group that this http 200 status response means the connect to another server (they are trying to connect back to thier server) is failing to connect yet the status 200 occurs?
 
I am considering dropping php and or Apache because of this drive a Mac truck through it security hole in Apache/php. I tried the suggestions here on the Apache forum but they do not appear to fix the spammer issue. If this is a php issue I really would like a fix.
 
Thx.

Joshua Slive <joshua@xxxxxxxx> wrote:
On 6/19/07, Bob wrote:

> You are wrong

Really? Interesting.

Well, no actually, I'm not. But it's nice how confident you are about
your knowledge on this issue.

>, my original post showed the CONNECT requests having a 200
> status code which means apache did service them successfully

As I've told you repeatedly, php was almost certainly treating the
CONNECT request just like a GET request. So the CONNECT was not
succeeding in the sense of connecting to a third-party server. It was
simply serving your index.php page.

> My book says a 500 code is a common error when a client calls a flawed
> CGI script.

And this is not the "correct" status code. The correct status code is
403 (forbidden). But as I already said, the status code is not that
important since the robots don't care. (And, in fact, the original 200
status code wasn't really a problem either unless your index.php
script uses up lots of resources. So you could have just left things
as they were.)

> I have read the php manual concerning selecting individual
> methods. I could not find any mention of how to tell php to limit it self to
> only using desired methods. A link to the php manual where it explains how
> to restrict php to only allow the use of selected methods would go a long
> way to support your view point. Providing a how to fix it post like I did is
> far better then a reply spouting apache dogma. Results are what count here.

I'm not here to win a debate with you. I'm just here to try to help
you understand how your server is working. For php configuration
questions you are better off on a php list. But I have already given
you explicit instructions: "I believe you
can set http.allowed_methods in your php config to the list of methods
php should handle. (GET and POST would be a good basic list.)" This is
documented here:
http://www.php.net/manual/en/ini.php

As I've also already told you, your current config should be fine. But
don't go recommending it to others as the proper solution when there
are many cleaner and safer solutions available (and listed in the
FAQ).

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



Get the Yahoo! toolbar and be alerted to new email wherever you're surfing.
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux