Red Hat Bugzilla – Bug 176324
Logwatch http regex period escaping
Last modified: 2007-11-30 17:07:22 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20051010 Firefox/1.0.7 (Ubuntu package 1.0.7)
Description of problem:
In the @exploits array, patterns similar to "/../../../" do not have the periods escaped. I assume these patterns are to catch directory traversal attacks.
Because the periods aren't escaped, the bare "." matches any single character, meaning perfectly valid URLs like "/4f/34/sd/" are getting caught as exploits.
All periods in @exploits should be escaped with a backslash.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Request a url with characters like "/sf/34/sd/" (or others) in it.
2. Look at your logwatch http report.
Actual Results: The valid url got caught as an exploit.
Expected Results: Nothing. It's not an attempted exploit.
Created attachment 122518 [details]
Thank you for your notice. The attached patch fixes this problem.
Excellent, that fixes the directory traversal patterns.
BUT- every period on every pattern in the @exploits array should be escaped to
be thorough- "cmd.exe" probably isn't meant to match "cmd4exe", "cmdtexe" or
"cmd/exe", all of which would get matched because the period on the "cmd.exe"
pattern isn't escaped.
Created attachment 122556 [details]
proposed patch (including the patch against problem described in comment 2)
Thank you. The attached patch fixes problem desrcibed in comment 2 too.
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.