From owner-freebsd-security Tue Apr 24 7:43: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from c0mailgw06.prontomail.com (mailgw.prontomail.com [216.163.180.10]) by hub.freebsd.org (Postfix) with ESMTP id 634EC37B422 for ; Tue, 24 Apr 2001 07:42:56 -0700 (PDT) (envelope-from djstrobelite@starband.net) Received: by c0mailgw06.prontomail.com (NPlex 5.1.050) id 3AE3B68A000307E7 for freebsd-security@FreeBSD.ORG; Tue, 24 Apr 2001 07:41:20 -0700 Received: from 148.75.148.202 by SmtpServer for ; Tue, 24 Apr 2001 14:41:17 +0000 Message-ID: <3AE590D4.66E038DA@starband.net> Date: Tue, 24 Apr 2001 08:42:41 -0600 From: Jumpin Joe Reply-To: djs@uscreativetypes.com X-Mailer: Mozilla 4.75 (Macintosh; U; PPC) X-Accept-Language: en,pdf MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: other services vulnerable to globbing exploit? Content-Type: text/plain; charset=us-ascii; x-mac-type="54455854"; x-mac-creator="4D4F5353" Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Greetings: I have followed with interest the recent exchanges about the ftpd globbing vulnerability. Below is a line from the logs of a certain site I host. The output looks very similar to the output I've seen shared here about how the vulnerability is exploited. Could this be an (attempt) to exploit the same vulnerability through httpd? And as always, can this even be considered an attack? My apache and bind are up to date and requests like this come through at a variable rate, have not crashed the service, but do seem to be increasing load and eating up bandwidth. Thanks in advance for your consideration. Joe -------------------------------- log output -------------------------------------------------- 216.72.28.15 - - [24/Apr/2001:08:22:34 -0600] "GET /cgi-bin/somecompany/some_script.pl/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/' /'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/some.gif' HTTP/1.0" 200 20165 "http://www.somecompany.com/cgi-bin/omecompany/some_script.pl/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/ '/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/'/ '/'/'/'/'/'/'/'/'/another.gif'" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message