Threat Level: green Handler on Duty: Manuel Humberto Santander Pelaez

SANS ISC: A little web mystery SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
A little web mystery

Hi everyone,

This morning we received an interesting message from Paul. He was seeing rather unusual log entries on his web server:

x.x.x.x Mozilla/5.0+(Windows;+U;+Windows+NT+5.0;+enUS;+rv:1.7.5)+Gecko/20050207+Firefox/1.0.1 
- http://www.[website].com/file.cfm+%5BPLM=0%5D%5BR%5D+GET+http://www.[website].com/file.cfm+
%5B0,12228,15387%5D+-%3E+%5BR%5D+POST+http://www.[website].com/file.cfm+%5B0,0,15335%5D
301 0 64 446 720

Decoded, the request translates into the more readable:

http://www.[website].com/file.cfm+[PLM=0][R]+GET+http://www.[website].com/file.cfm+[0,12228,
15387]+->+[R]+POST+http://www.[website].com/file.cfm+[0,0,15335]

As you can see, this is a bit strange. Apparently the [R] precedes any new request, and multiple requests are concatenated into one. After a bit of investigating, we’re unaware of what this is trying to accomplish. It looks like HTTP request smuggling, but it is not. Also, “+” is an RFC 3986 acceptable sub-delimeter, but this request would not pass the second request to the page, so it doesn't appear to exploit an application vulnerability.

We know that the request originated from an open proxy, likely running Bluecoat. In addition, this issue is uncommon, but has been reported by others. If anyone is seeing similar behavior or has ideas, please let us know!

Maarten

158 Posts

Sign Up for Free or Log In to start participating in the conversation!