How Internet is a mess. (Playing with HTTPD)

I was making a HTTP-Deamon (server) for HPL. To can test HPL documents in the development machine. What the HTTPD do is something like simulate a CGI enverioment inside the Perl interpreter and connect this enverioment to the browser.

In the console of HTTPD I can see the connections and URL querys. But I leave the external access opened, for the other developers can see the work.

What is interesting to see is the access of scan programs (worms/virus) all the time. And they are a big trouble, since the HTTPD only can handle one access per time (the multi access doesn't work very well on Win32).

Well, the worms can't infect me, since the HTTPD only handle files, not executables. And they can't access things outside the DOCUMENT_ROOT. Well, is soo easy to denny access to other level path. I don't know how MS missed this on IIS5 (most of scans are exploits for ISS)! Was a big negligence by them, or they think that no one will explore this bugs!

Well, to avoid them I have restricted the access to only some IP ranges.

Internet this days was a mess! You always need to be in alert for SPAM, virus (well, a good anti-virus is always needed) and exploits (update the server too! And use a personal firewall). To avoid SPAM I haven't find a good tool, but a good tip is to not use easy e-mail adresses, like: joe@famous-domain.com. Is very easy for a SPAMER to make a list of famous domains a common names, and bingo, it sell the list for the fools. I think that sell/buy e-mail list should be a crime! And how buy a SPAM list, are only buying a list of e-mails that are not used, since receive a lot of SPAM, or a list of persons that hate SPAM!

If you want to play with HTTPD or see how your Internet neighbors are infected (specially for DSL/CABLE access), use this code, based on HPL::HTTPD:

** Hey, your ISP need to allow the port 80 and direct acces to your IP. If your IP is only for intranet (192.168.0.x/10.0.x.x), hummm... They are stealing money from you, since you can't use a lot of good services in the Internet, or you think that Internet is only http,ftp (the common services accessed by proxy/fw).

#!/usr/bin/perl

#
# simple-httpd.pl
#

use HTTP::Daemon; ## Install LWP.
use HTTP::Status;
use strict ;

my $RN = "\015\012" ;

  my $port = 80 ;

  my $HTTPD = HTTP::Daemon->new(
  #LocalAddr => 'localhost' ,
  LocalPort => $port ,
  Listen    => 5 ,
  Reuse     => 1 ,
  Timeout   => 30 ,
  ) ;
  
  if ($HTTPD) { print "Server on port: $port\n\n" ;}
  else { die "Can't open server at port $HTTPD!\n" ;}
  
  open (LOG,">>log.txt") ;
  my $sel = select(LOG) ; $|=1 ; select($sel) ;
  
  while( (my $connection = $HTTPD->accept) || 1 ) {
    if (!$connection) { next ;}
    
    my %clt = (
    ip => $connection->peerhost ,
    port => $connection->peerport ,
    ) ;
    
    my $req = $connection->get_request ;
    
    print "-----------------------------------------\n" ;
    print LOG "-----------------------------------------\n" ;    
    print "Client: $clt{ip}:$clt{port}\n" ;
    print LOG "Client: $clt{ip}:$clt{port}\n" ;    
    
    if (!$req) { print "Bad Request (400)\n" ;}
    else {
      my $url = &normalize_path( $req->url->path ) ;

      print "URL: $url\n" ;
      print LOG "URL: $url\n" ;
      
      $connection->send_basic_header( 200 ) ; ## 200 (not 403) to can 
+see the HTML in the browser.
      print $connection "Connection: close" . $RN ;
      print $connection "Content-type: text/html" . $RN.$RN ; 
      print $connection "<title>403 Forbidden</title>\n" ;
      print $connection "<b>Forbiden (403)</b><br>\n" ;
      print $connection "Can't access: $url<p>\n" ;
      print $connection "<i>And don't scan my host!!!</i>\n" ;
    }
    
    print "-----------------------------------------\n\n" ;
    print LOG "-----------------------------------------\n\n" ;    
    
    ## Other HTTPD methods:
    # $connection->send_error(403) ;}
    # $connection->send_file_response($root .'/'. $url) ;}
    
    close($connection) ;
  }
  
  close (LOG) ;
  
exit ;

##################
# NORMALIZE_PATH #
##################

sub normalize_path {
  my ( $path ) = @_ ;
  
  if ($path eq '') { return() }
  
  $path =~ s/^\s+//gs ;
  $path =~ s/\s+^//gs ;
  $path =~ s/[\r\n].*$//s ;
  
  my $symb_ok = q`!#$%&'()+,-./:;=@[\]^{}~€ŸÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖÙÚÛ
+ÜÝàáâãäåæçèéêëìíîïðñòóôõöùúûüýÿ`;
  my $symb_ok_out = q`*<>?"|`;
  
  $path =~ s/[^\w\s\Q$symb_ok\E]//gs ;
  
  $path =~ s/\\+/\//g ;
  
  if ($path !~ /^\// ) { $path = "/$path" ;}
  
  my ($type,$host) ;
  
  if ( $path =~ /^(\w+:)\/\/(.*)$/ ) { ($type,$path) = ($1,$2) }
  
  if ($type =~ /^(https?|ftps?):$/i ) { ($host,$path) = ( $path =~ /^(
+.*?)(\/.*)$/ ) ;}
  
  $path =~ s/\/+/\//g ;
  $path =~ s/\/$// ;
  
  if ($path =~ /\/\.\.?\//) {
    my @path = split(/\//,$path) ;
    my @path2 ;
    foreach my $path_i ( @path ) {
      if ($path_i eq '.') { next }
      if ($path_i eq '..') { pop (@path2) ; next ;}
      push(@path2 , $path_i) ;
    }
    
    if ($path =~ /^\// && @path2[0] ne '') { unshift (@path2, "") }
    
    $path = join ("/", @path2) ;
  }

  if ($type ne '') { $path = "$type//$host$path" }

  return( $path ) ;
}

#######
# END #
#######
[download]

Graciliano M. P.
"The creativity is the expression of the liberty".

Comment on How Internet is a mess. (Playing with HTTPD) Download Code

Replies are listed 'Best First'.
Re: How Internet is a mess. (Playing with HTTPD) by tachyon (Chancellor) on Feb 27, 2003 at 21:04 UTC
And they can't access things outside the DOCUMENT_ROOT. Are you sure? `print normalize_path( "\\.\\./etc/passwd" ); __DATA__ ../etc/passwd` [download] Hmmm, looks outside the document root to me. You also have a bug in your $symb_ok regex string. You go on to try to convert \\ to / but you have stripped them out with the `$path =~ s/[^$symb_ok]//gs;` regex. If you fix that problem to allow windows \ paths you need to be really careful otherwise... cheers tachyon s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print	[reply] [d/l] [select]
Re: Re: How Internet is a mess. (Playing with HTTPD) by gmpassos (Priest) on Feb 27, 2003 at 21:51 UTC
Wow! You found a bug! It was in the $symb_ok and $path =~ s/^$symb_ok//gs ; that I have added in the last week. The right it: my $symb_ok = q`!#$%&'()+,-./:;=@[\]^{}~€ŸÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖÙÚÛ +ÜÝàáâãäåæçèéêëìíîïðñòóôõöùúûüýÿ`; $path =~ s/[^\w\s\Q$symb_ok\E]//gs ; [download] I cant put \Q\E inside the variable, doesn't work like we want! I have updated the main nood, take a look. Graciliano M. P. "The creativity is the expression of the liberty".	[reply] [d/l]
Re: Re: Re: How Internet is a mess. (Playing with HTTPD) by tachyon (Chancellor) on Feb 27, 2003 at 22:04 UTC
So now the hack to get outside the document root is just: `print normalize_path( "../etc/passwd" ); __DATA__ ../etc/passwd` [download] cheers tachyon s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print	[reply] [d/l]
Re: Re: Re: Re: How Internet is a mess. (Playing with HTTPD) by gmpassos (Priest) on Feb 27, 2003 at 22:16 UTC
Re: Re: Re: Re: Re: How Internet is a mess. (Playing with HTTPD) by tachyon (Chancellor) on Feb 27, 2003 at 22:42 UTC
Some notes below your chosen depth have not been shown here
Re: Re: Re: How Internet is a mess. (Playing with HTTPD) by perrin (Chancellor) on Feb 28, 2003 at 01:42 UTC
Now do you see why people don't just go running around writing their own HTTP servers? By the time you're done writing it and finding every possible security problem, you could have installed Apache (or any of several other open source servers) a few hundred times. Nothing personal, but the "it's too hard to install so I wrote my own" argument just doesn't hold up.	[reply]
Re: Re: Re: Re: How Internet is a mess. (Playing with HTTPD) by gmpassos (Priest) on Feb 28, 2003 at 04:19 UTC
Re: Re: Re: Re: Re: How Internet is a mess. (Playing with HTTPD) by perrin (Chancellor) on Feb 28, 2003 at 16:32 UTC
Re: (nrd) How Internet is a mess. (Playing with HTTPD) by newrisedesigns (Curate) on Feb 28, 2003 at 03:52 UTC
gmpassos, I think that your attempt to write your own server is honorable, but in the end I believe it works against what you aim to do. You talk about the flood of requests you received looking for vulernabilities. You mention that the security holes in IIS are obvious, however your own code has vulernabilities. What if this code caught on without tachyon's mentioning of the holes? How many people would have used this and experienced breaches, something that you're against? Learning something new and writing code to try new ideas is encouraged. I think every programmer should try something foreign or outlandish to test his or her skills. However, sometimes (in my case, often) that code is not reliable or useful. It might suit your purpose, but if someone else were to use it, he or she might have serious problems because of something unforeseen. You want to make a wheel that rolls better. That's an admirable cause. But there are better ways of doing so. Apache is supported by a group of people, and it's been thoroughly tested. It's become what it is over a long period of time. You should help make existing wheels spin faster instead of starting over. If you want to prevent the internet from being a mess, don't let your pride get in the way of your desire to help others. Personally, I'd use the above code (somewhat stripped down) to act as a simple web server used only to track requests (and not serve pages). With the information recorded, you could analyze the data and find who is sending the traffic and when it is sent. Using that information, you can help clean up the 'net, little by little. John J Reiser newrisedesigns.com	[reply]
Re: How Internet is a mess. (Playing with HTTPD) by tachyon (Chancellor) on Feb 27, 2003 at 20:13 UTC
{ Something wrong with Apache? Writing you own servers is all well and good if you have a reason. redo } cheers tachyon s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print	[reply]
Re: Re: How Internet is a mess. (Playing with HTTPD) by gmpassos (Priest) on Feb 27, 2003 at 20:23 UTC
It need to be installed. For a programmer that is developing a site, is easier to send the files to the server, than install apache. But is easiest if it can run HPL docs, from HPL. without the need of 3rd parts. And I have designed HPL to be very independent of 3rd part modules or apps. But Apache is the final target, since for me it's the best server (but works in other servers, you just need Perl). And your HPL docs work inside mod_perl, that is even better! ;-P Graciliano M. P. "The creativity is the expression of the liberty".	[reply]
Re: Re: Re: How Internet is a mess. (Playing with HTTPD) by tachyon (Chancellor) on Feb 27, 2003 at 20:43 UTC
If you can click an OK button installing Apache on Win32 is not too hard cause that's about all you absolutely have to do. You will then have an intranet at localhost and a cgi-bin at /Program Files/Apache Group/Apache/cgi-bin. If you get indigo perl you will get Apache installed by default. If you plan to use Apache in the end why not develop for it from the start? cheers tachyon s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print	[reply]
Re: Re: Re: Re: How Internet is a mess. (Playing with HTTPD) by gmpassos (Priest) on Feb 27, 2003 at 20:52 UTC
Re: How Internet is a mess. (Playing with HTTPD) by tadman (Prior) on Feb 27, 2003 at 20:26 UTC
You might want to take this and turn it into a module you can merge in with Apache. The mod_perl subsystem can be used to filter out undesirable requests before they even get processed. There are examples in the Writing Apache Modules book. People tend to frown on reinventing the wheel, though in a lot of circumstances it is quite educational. Sometimes you learn about how it works, and sometimes you learn that it's not quite as simple as you thought.	[reply]
Re: Re: How Internet is a mess. (Playing with HTTPD) by gmpassos (Priest) on Feb 27, 2003 at 20:40 UTC
How I say: "...use this code, based on HPL::HTTPD". It's a module! And HPL works with mod_perl too (we don't need the module HPL::HTTPD inside mod_perl). HPL filter all the request and check if they are ok before run them. Well, I "reinvented" the wheel because I think that it can rolls better! ;-P Graciliano M. P. "The creativity is the expression of the liberty".	[reply]
Re: How Internet is a mess. (Playing with HTTPD) by Aristotle (Chancellor) on Mar 01, 2003 at 17:35 UTC
If Apache is too heavy, try TinyWeb. Makeshifts last the longest.	[reply]
Re: Re: How Internet is a mess. (Playing with HTTPD) by gmpassos (Priest) on Mar 01, 2003 at 18:42 UTC
Good tip! ;-P Graciliano M. P. "The creativity is the expression of the liberty".	[reply]