[squid-users] customlog patch BUG ?

From: Darryl L. Miles <darryl@dont-contact.us>
Date: Wed, 31 Aug 2005 17:08:04 +0100

I'm seeing unescaped logfile entries when using the customlog patch,
looking at the patch there is code to escape various fields in various
ways but its not obvious on first look exactly which escaping rule
should be getting used. I don't think its working.

My config entry (base on the example for Apache common format):

logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st
"%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh

The problem affect my logfile stats program being unable to parse the
line. Looks like someone is trawling for an awstats.pl bug. An example
entry is:

WARN:a1cpu4.bz.log:1786006 parse error for length at w;wget"
WARN: 213.61.102.218 - - [15/Aug/2005:22:39:01 +0100] "GET
http://62.XX.XX.109//awstats.pl"w;wget" HTTP/1.1" 404 454 "-"
"Mozilla/4.0(compatible; MSIE 6.0; Windows 98)" TCP_MISS:DIRECT

What I expected to see was:

"GET http://62.XX.XX.109//awstats.pl"w;wget" HTTP/1.1"

into (with additional \ character) which would be what Apache does:

"GET http://62.XX.XX.109//awstats.pl\"w;wget" HTTP/1.1"

I would guess the abuser is sending:

$ telnet www.mydomain.com 80
GET //awstats.pl"w;wget HTTP/1.1
Host: www.mydomain.com

$

Am happy to help resolve this bug through reconfiguration or testing of
beta patches if necessary.

Thanks

-- 
Darryl L. Miles
Received on Wed Aug 31 2005 - 10:08:11 MDT

This archive was generated by hypermail pre-2.1.9 : Thu Sep 01 2005 - 12:00:03 MDT