Re: [suse-security] Apache log "CONNECT a.b.c.d:25" "200" (fwd)

28 Feb 2004

...
ok, I found this in my personal archive,
and the link is even still vaild:
Bug #19113
HTTP status 200 returned on HTTP CONNECT when mod_proxy not in use
http://bugs.php.net/bug.php?id=19113
Lars Ellenberg
Thankyou Lars for your help!

I have looked at the bug report, and applied the
following 'patch' to httpd.conf, after my DocRoot Directory
container.

This is followed by another Directory listing to deny access
to the rest of my srv docs.

I only want to allow access to the root directory, so others
can get my site homepage by just entering the domain name
of the machine.

snip xxxxx

     DirectoryIndex karsites.hml
     Options None
     AllowOverride None
     Order Deny,Allow
     Allow from all
 </Directory>

# remove the CONNECT bug #
http://bugs.php.net/bug.php?id=19113

 <Location />
     <Limit CONNECT>
     Order deny,allow
     Deny from all
     </Limit>
</Location>

snip xxxxx

# end of httpd.conf

However, when I do

karsites:/home/keith # telnet localhost 80
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
CONNECT 127.0.0.1:80 HTTP/1.0

Without the fix to limit CONNECT, I get the raw source code
from my DirectoryIndex page, karsites.hml

With the patch applied to httpd.conf I get the following:

HTTP/1.1 403 Forbidden
Date: Sat, 28 Feb 2004 15:07:07 GMT
Server: Apache/1.3.26 (Linux/SuSE)
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>403 Forbidden</TITLE>
</HEAD><BODY>
<H1>Forbidden</H1>
You don't have permission to access /
on this server.<P>
<HR>
<ADDRESS>Apache/1.3.26 Server at <A
HREF="mailto:keith@my-server.co.uk">my-server.co.uk</A>
Port
80</ADDRESS>
</BODY></HTML>
Connection closed by foreign host.
karsites:/home/keith #

Which is just the source code for the Apache generated error
message.

The access_log now records the correct details -

127.0.0.1 - - [28/Feb/2004:15:34:27 +0000] "CONNECT
127.0.0.1:80 HTTP/1.0" 403 311

NB is it possible for an attacker to ftp to my machine, and
use the above technique to download the source code of my
web applications?

Kind Regards - Keith Roberts

Keith Roberts

tags

participants (1)