Red Hat Bugzilla – Bug 176324
Logwatch http regex period escaping
Last modified: 2007-11-30 17:07:22 EST
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20051010 Firefox/1.0.7 (Ubuntu package 1.0.7) Description of problem: In the @exploits array, patterns similar to "/../../../" do not have the periods escaped. I assume these patterns are to catch directory traversal attacks. Because the periods aren't escaped, the bare "." matches any single character, meaning perfectly valid URLs like "/4f/34/sd/" are getting caught as exploits. All periods in @exploits should be escaped with a backslash. Version-Release number of selected component (if applicable): logwatch-5.2.2-1.EL4.1 How reproducible: Always Steps to Reproduce: 1. Request a url with characters like "/sf/34/sd/" (or others) in it. 2. Look at your logwatch http report. Actual Results: The valid url got caught as an exploit. Expected Results: Nothing. It's not an attempted exploit. Additional info:
Created attachment 122518 [details] proposed patch Thank you for your notice. The attached patch fixes this problem.
Excellent, that fixes the directory traversal patterns. BUT- every period on every pattern in the @exploits array should be escaped to be thorough- "cmd.exe" probably isn't meant to match "cmd4exe", "cmdtexe" or "cmd/exe", all of which would get matched because the period on the "cmd.exe" pattern isn't escaped.
Created attachment 122556 [details] proposed patch (including the patch against problem described in comment 2) Thank you. The attached patch fixes problem desrcibed in comment 2 too.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2006-0631.html