[X-Unix] Stopping the Webdav Exploit in Apache
Eugene Lee
list-themacintoshguy at fsck.net
Sun Mar 28 03:49:11 PST 2004
On Sat, Mar 27, 2004 at 07:46:32PM -0800, Scott Haneda wrote:
:
: on 03/27/2004 07:32 PM, Eugene Lee wrote:
:
: > :
: > : For the life of me, I can not mimic this URI request, every
: > : attempt I make to try to create a test case so I can see how to
: > : pattern match this with SetEnvIfNoCase Request_URI yields a
: > : \\x02\\etc\\etc in my logs.
: >
: > Try this:
: >
: > $ curl -X SEARCH http://localhost/$'\x90\x02\xb1\x02\xb1'
: >
: > : Any idea whats going on here and how I can pattern match this?
: >
: > This is most likely the WebDAV buffer exploit for Windoze IIS.
: >
: > http://www.fatelabs.com/library/fatelabs-ntdll-analysis.pdf
:
: Thanks, that indeed works ::-)
: Any idea what pattern I would match on and how in this case:
: SetEnvIfNoCase Request_URI "MATCH HERE" msjunk
:
: I just cant get it to work.
What have you tried? Since the SetEnv* commands accept Perl regexps,
you should be able to do something like this:
SetEnvIfNoCase Request_URI "^/\x90\x02\xb1\x02\xb1" blah-blah-blah
--
Eugene Lee
http://www.coxar.pwp.blueyonder.co.uk/
More information about the X-Unix
mailing list