[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Apache log "CONNECT a.b.c.d:25" "200" (fwd)

> ok, I found this in my personal archive,
> and the link is even still vaild:
> Bug #19113
> HTTP status 200 returned on HTTP CONNECT when mod_proxy not in use
> http://bugs.php.net/bug.php?id=19113
> 	Lars Ellenberg

Thankyou Lars for your help!

I have looked at the bug report, and applied the
following 'patch' to httpd.conf, after my DocRoot Directory

This is followed by another Directory listing to deny access
to the rest of my srv docs.

I only want to allow access to the root directory, so others
can get my site homepage by just entering the domain name
of the machine.

snip xxxxx

 <Directory "/">
     DirectoryIndex karsites.hml
     Options None
     AllowOverride None
     Order Deny,Allow
     Allow from all

# remove the CONNECT bug #

 <Location />
     <Limit CONNECT>
     Order deny,allow
     Deny from all

snip xxxxx

# end of httpd.conf

However, when I do

karsites:/home/keith # telnet localhost 80
Trying ::1...
telnet: connect to address ::1: Connection refused
Connected to localhost.
Escape character is '^]'.

Without the fix to limit CONNECT, I get the raw source code
from my DirectoryIndex page, karsites.hml

With the patch applied to httpd.conf I get the following:

HTTP/1.1 403 Forbidden
Date: Sat, 28 Feb 2004 15:07:07 GMT
Server: Apache/1.3.26 (Linux/SuSE)
Connection: close
Content-Type: text/html; charset=iso-8859-1

<TITLE>403 Forbidden</TITLE>
You don't have permission to access /
on this server.<P>
<ADDRESS>Apache/1.3.26 Server at <A
Connection closed by foreign host.
karsites:/home/keith #

Which is just the source code for the Apache generated error

The access_log now records the correct details - - - [28/Feb/2004:15:34:27 +0000] "CONNECT HTTP/1.0" 403 311

NB is it possible for an attacker to ftp to my machine, and
use the above technique to download the source code of my
web applications?

Kind Regards - Keith Roberts

Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here