[Snort-users] Misconfigured firewall triggering alerts?
Sheahan, Paul (PCLN-NW)
Paul.Sheahan at ...2218...
Thu Jan 31 16:40:03 EST 2002
I stumbled on something interesting and was wondering if anyone else has
On a daily basis I see alerts for the "WEB-MISC long basic authorization
string" vulnerability in my logs. This vulnerability exists on some Unix and
MAC web servers where if the authorization information is too long, it could
crash the web server. But then I noticed something interesting......most
hosts that send packets with "Proxy-Authorizat
ion: Basic" seem to be firewalls and/or proxy servers. Normally
Proxy-Authorization: Basic is only sent in an HTTP request when
authentication is first required from a proxy server before retrieving a
page. In my case, this type of proxy authorization isn't required to hit my
web servers, so that leads me to believe that firewalls and proxy servers
sending this information are incorrectly configured. If you run the
"ZXThYBHynFp0dwMLdRo=.." (or whatever information is following
"Proxy-Authorization: Basic") through a Base64 decoder, you have the proxy
ID and password of the requesting user. Has anyone else noticed this? Could
there be THAT many misconfigured proxy servers out there that are
accidentally sending Proxy user IDs and passwords out to sites that do not
require this information?
01/30-11:38:05.309896 188.8.131.52:7808 -> some.webserver.com:80
TCP TTL:53 TOS:0x0 ID:37942 IpLen:20 DgmLen:1063 DF
***AP*** Seq: 0x13E8364 Ack: 0x6615BF78 Win: 0x2238 TcpLen: 20
130162134585c80673696 HTTP/1.0..Accept: application/msword, appl
ication/vnd.ms-excel, application/vnd.ms-powerpoint, image/gif,
image/x-xbitmap, image/jpeg, image/pjpeg, application/pdf, */*..
.Accept-Encoding: gzip, deflate..User-Agent: Mozilla/4.0 (compat
ible; MSIE 4.01; Windows NT)..Host: web1.website.com..Cookie
: SITESERVER=ID=a1092a6b786cc0a78055cd9eb1a536db; PSessKey=24001
KIA; ASPSESSIONIDGGGGQHYZ=ODPLIEFDIGFBAGEMDLEBCAAH; ASPSESSIONID
ion: Basic ZXThYBHynFp0dwMLdRo=..Cache-Control: max-stale=0....
More information about the Snort-users