Threat Level: green Handler on Duty: Manuel Humberto Santander Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

A little web mystery

Published: 2008-02-20
Last Updated: 2008-02-20 19:20:57 UTC
by Maarten Van Horenbeeck (Version: 1)
0 comment(s)

Hi everyone,

This morning we received an interesting message from Paul. He was seeing rather unusual log entries on his web server:

x.x.x.x Mozilla/5.0+(Windows;+U;+Windows+NT+5.0;+enUS;+rv:1.7.5)+Gecko/20050207+Firefox/1.0.1 
- http://www.[website].com/file.cfm+%5BPLM=0%5D%5BR%5D+GET+http://www.[website].com/file.cfm+
%5B0,12228,15387%5D+-%3E+%5BR%5D+POST+http://www.[website].com/file.cfm+%5B0,0,15335%5D
301 0 64 446 720

Decoded, the request translates into the more readable:

http://www.[website].com/file.cfm+[PLM=0][R]+GET+http://www.[website].com/file.cfm+[0,12228,
15387]+->+[R]+POST+http://www.[website].com/file.cfm+[0,0,15335]

As you can see, this is a bit strange. Apparently the [R] precedes any new request, and multiple requests are concatenated into one. After a bit of investigating, we’re unaware of what this is trying to accomplish. It looks like HTTP request smuggling, but it is not. Also, “+” is an RFC 3986 acceptable sub-delimeter, but this request would not pass the second request to the page, so it doesn't appear to exploit an application vulnerability.

We know that the request originated from an open proxy, likely running Bluecoat. In addition, this issue is uncommon, but has been reported by others. If anyone is seeing similar behavior or has ideas, please let us know!

Keywords:
0 comment(s)
Diary Archives