On Mon, 22 Feb 2010 21:37:40 +0100, Stefan Fritsch wrote: > Hi Michael, > > I don't think there is anything in Apache that should be changed for > these issues. I will close the bug and mark them as unimportant in the > security tracker: > > On Sunday 21 February 2010, Michael Gilbert wrote: > > CVE-2003-1580[0]: > > | The Apache HTTP Server 2.0.44, when DNS resolution is enabled for > > | client IP addresses, uses a logging format that does not identify > > | whether a dotted quad represents an unresolved IP address, which > > | allows remote attackers to spoof IP addresses via crafted DNS > > | responses containing numerical top-level domains, as demonstrated > > | by a forged 123.123.123.123 domain name, related to an "Inverse > > | Lookup Log Corruption (ILLC)" issue. > > This doesn't seem much different from a PTR record pointing to an > arbitrary domain name. Both cases can be handled by doing double > reverse lookups. Apache does this if configured with "HostNameLookups > double". It should be well known that single reverse lookups are > unreliable, so I don't see a security issue here. > > > CVE-2003-1581[1]: > > | The Apache HTTP Server 2.0.44, when DNS resolution is enabled for > > | client IP addresses, allows remote attackers to inject arbitrary > > | text into log files via an HTTP request in conjunction with a > > | crafted DNS response, as demonstrated by injecting XSS sequences, > > | related to an "Inverse Lookup Log Corruption (ILLC)" issue. > > This is purely a log analyzer issue. Apache correctly escapes control > characters in hostnames. For everything else, the log analyzer is > responsible.
i came to the same conclusions, and i've already marked the issues unimportant in the tracker. my goal for the bug report was to get a second opinion from someone more familiar with apache. thanks! mike -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
