Edgewall Software
Modify

Opened 18 years ago

Closed 18 years ago

#4461 closed defect (invalid)

Possible Cross Site Scripting Issue

Reported by: axton.grams@… Owned by: Jonas Borgström
Priority: normal Milestone:
Component: general Version: 0.10.2
Severity: normal Keywords:
Cc: Branch:
Release Notes:
API Changes:
Internal Changes:

Description (last modified by Emmanuel Blot)

I have a Trac site up that is hosting a couple of programs on the internet. After reviewing my apache access_log, I noticed a couple of strange items:

Anonymous users have the following access: 

Trac [x/trac/dvpfw]> permission list anonymous

User       Action
--------------------------
anonymous  BROWSER_VIEW
anonymous  CHANGESET_VIEW
anonymous  FILE_VIEW
anonymous  LOG_VIEW
anonymous  MILESTONE_VIEW
anonymous  REPORT_SQL_VIEW
anonymous  REPORT_VIEW
anonymous  ROADMAP_VIEW
anonymous  SEARCH_VIEW
anonymous  TICKET_APPEND
anonymous  TICKET_CHGPROP
anonymous  TICKET_CREATE
anonymous  TICKET_MODIFY
anonymous  TICKET_VIEW
anonymous  TIMELINE_VIEW
anonymous  WIKI_CREATE
anonymous  WIKI_MODIFY
anonymous  WIKI_VIEW

Available actions:
 BROWSER_VIEW, CHANGESET_VIEW, CONFIG_VIEW, FILE_VIEW, LOG_VIEW,
 MILESTONE_ADMIN, MILESTONE_CREATE, MILESTONE_DELETE, MILESTONE_MODIFY,
 MILESTONE_VIEW, REPORT_ADMIN, REPORT_CREATE, REPORT_DELETE, REPORT_MODIFY,
 REPORT_SQL_VIEW, REPORT_VIEW, ROADMAP_ADMIN, ROADMAP_VIEW, SEARCH_VIEW,
 TICKET_ADMIN, TICKET_APPEND, TICKET_CHGPROP, TICKET_CREATE, TICKET_MODIFY,
 TICKET_VIEW, TRAC_ADMIN, WIKI_ADMIN, WIKI_CREATE, WIKI_DELETE,
 WIKI_MODIFY, WIKI_VIEW

Here are the full apache access_logs for the concern: 

x.x.x.x - - [26/Dec/2006:10:30:30 +0000] "GET /projects/dvpfw HTTP/1.1" 200 5851
x.x.x.x - - [26/Dec/2006:10:30:31 +0000] "GET /projects/dvpfw/chrome/common/css/wiki.css HTTP/1.1" 200 1533
x.x.x.x - - [26/Dec/2006:10:30:32 +0000] "GET /projects/dvpfw/chrome/common/css/trac.css HTTP/1.1" 200 12531
x.x.x.x - - [26/Dec/2006:10:30:32 +0000] "GET /projects/dvpfw/chrome/common/js/trac.js HTTP/1.1" 200 4407
x.x.x.x - - [26/Dec/2006:10:30:32 +0000] "GET /projects/dvpfw/chrome/common/css/code.css HTTP/1.1" 200 4351
x.x.x.x - - [26/Dec/2006:10:30:32 +0000] "GET /projects/dvpfw/chrome/common/trac_banner.png HTTP/1.1" 200 2161
x.x.x.x - - [26/Dec/2006:10:30:33 +0000] "GET /projects/dvpfw/chrome/common/topbar_gradient.png HTTP/1.1" 200 350
x.x.x.x - - [26/Dec/2006:10:30:32 +0000] "POST http://mail.google.com/mail/channel/bind?at=5aa75864bf050aeb-10fbe4944aa&VER=2&SID=84200031966B782E&RID=51180&zx=wpur90-wq2kwy&t=1 HTTP/1.1" 404 215
x.x.x.x - - [26/Dec/2006:10:30:33 +0000] "GET /projects/dvpfw/chrome/common/trac_logo_mini.png HTTP/1.1" 200 689
x.x.x.x - - [26/Dec/2006:10:30:33 +0000] "GET /projects/dvpfw/chrome/common/topbar_gradient2.png HTTP/1.1" 200 309
x.x.x.x - - [26/Dec/2006:10:30:33 +0000] "GET /projects/dvpfw/chrome/common/dots.gif HTTP/1.1" 200 50
x.x.x.x - - [26/Dec/2006:10:30:33 +0000] "GET /projects/dvpfw/chrome/common/extlink.gif HTTP/1.1" 200 90
x.x.x.x - - [26/Dec/2006:10:30:33 +0000] "GET /projects/dvpfw/chrome/common/trac.ico HTTP/1.1" 200 3638
x.x.x.x - - [26/Dec/2006:10:30:35 +0000] "POST http://mail.google.com/mail/channel/bind?at=5aa75864bf050aeb-10fbe4944aa&VER=2&SID=84200031966B782E&RID=51180&zx=wpur90-wq2kwy&t=2 HTTP/1.1" 404 215
x.x.x.x - - [26/Dec/2006:10:30:37 +0000] "POST http://mail.google.com/mail/channel/bind?at=5aa75864bf050aeb-10fbe4944aa&VER=2&SID=84200031966B782E&RID=51180&zx=wpur90-wq2kwy&t=3 HTTP/1.1" 404 215
x.x.x.x - - [26/Dec/2006:10:30:39 +0000] "POST http://mail.google.com/mail/channel/bind?at=5aa75864bf050aeb-10fbe4944aa&VER=2&SID=84200031966B782E&RID=51180&zx=wpur90-wq2kwy&t=4 HTTP/1.1" 404 215
x.x.x.x - - [26/Dec/2006:10:30:39 +0000] "GET http://www.google.com/url?rand=02feecb0841167129052210&q=http%3A%2F%2Fwww.google.com%2Fimages%2Fcleardot.gif HTTP/1.1" 404 201
x.x.x.x - - [26/Dec/2006:10:30:40 +0000] "POST http://mail.google.com/mail/?ik=02feecb084&view=bzr HTTP/1.1" 404 203
x.x.x.x - - [26/Dec/2006:10:30:45 +0000] "GET http://support.bmc.com/arsys/BackChannel/?param=456%2FGetTableEntryList%2F17%2Fremcspenu.bmc.com16%2FBMC%3ASSP%3AQMObject18%2FDefault%20Admin%20View9%2F30063810017%2Fremcspenu.bmc.com24%2FSHARE%3AAssocSolution_join3%2FSSP1%2F01%2F020%2F6%2F1%2F01%2F11%2F21%2F11%2F31%2F1180%2F1%5C1%5C2%5C1%5C4%5C1%5C99%5C179%5C1%5C490008000%5C4%5C1%5C99%5C490000100%5C1%5C490008100%5C1%5C4%5C1%5C99%5C179%5C1%5C490009000%5C4%5C1%5C99%5C490000100%5C1%5C490009100%5C2%5C4%5C1%5C1%5C300059000%5C2%5C0%5C4%5C1%5C1%5C300059000%5C2%5C6%5C0%5C4%5C1%5C1%5C400015200%5C2%5C6%5C1%5C18%2F2%2F9%2F4900001003%2F17968%2F2%2F30%2FSH220017391200Q%5BPVZA%5BfiLcAGUkA30%2FSH000D56BA39D4zSD5Qw4Q9yKQDxgB8%2F2%2F1%2F41%2F4 HTTP/1.1" 404 216
x.x.x.x - - [26/Dec/2006:10:30:45 +0000] "GET http://support.bmc.com/arsys/resources/html/MessagePopup.html HTTP/1.1" 404 236
x.x.x.x - - [26/Dec/2006:10:30:45 +0000] "GET http://mail.google.com/mail/channel/test?at=5aa75864bf050aeb-10fbe4944aa&MODE=init&zx=sjnjmm-mvhh01&t=1 HTTP/1.1" 404 215
x.x.x.x - - [26/Dec/2006:10:30:45 +0000] "GET http://www.google.com/url?rand=02feecb0841167129058119&q=http%3A%2F%2Fwww.google.com%2Fimages%2Fcleardot.gif HTTP/1.1" 404 201
x.x.x.x - - [26/Dec/2006:10:44:41 +0000] "GET /projects/dvpfw/roadmap HTTP/1.1" 200 5258
x.x.x.x - - [26/Dec/2006:10:44:42 +0000] "GET /projects/dvpfw/chrome/common/css/roadmap.css HTTP/1.1" 200 2640
x.x.x.x - - [26/Dec/2006:10:44:42 +0000] "GET /projects/dvpfw/chrome/common/css/trac.css HTTP/1.1" 304 -
x.x.x.x - - [26/Dec/2006:10:44:42 +0000] "GET /projects/dvpfw/chrome/common/js/trac.js HTTP/1.1" 304 -
x.x.x.x - - [26/Dec/2006:10:44:43 +0000] "GET /projects/dvpfw/chrome/common/trac_banner.png HTTP/1.1" 304 -
x.x.x.x - - [26/Dec/2006:10:44:43 +0000] "GET /projects/dvpfw/chrome/common/topbar_gradient.png HTTP/1.1" 304 -
x.x.x.x - - [26/Dec/2006:10:44:43 +0000] "GET /projects/dvpfw/chrome/common/trac_logo_mini.png HTTP/1.1" 304 -
x.x.x.x - - [26/Dec/2006:10:44:43 +0000] "GET /projects/dvpfw/chrome/common/topbar_gradient2.png HTTP/1.1" 304 -
x.x.x.x - - [26/Dec/2006:10:44:43 +0000] "GET /projects/dvpfw/chrome/common/ics.png HTTP/1.1" 200 347
x.x.x.x - - [26/Dec/2006:10:44:43 +0000] "GET /projects/dvpfw/chrome/common/extlink.gif HTTP/1.1" 304 -
x.x.x.x - - [26/Dec/2006:10:44:43 +0000] "GET /projects/dvpfw/chrome/common/dots.gif HTTP/1.1" 304 -
x.x.x.x - - [26/Dec/2006:10:44:54 +0000] "GET /projects/dvpfw/wiki HTTP/1.1" 200 5851
x.x.x.x - - [26/Dec/2006:10:44:56 +0000] "GET /projects/dvpfw/chrome/common/css/wiki.css HTTP/1.1" 304 -
x.x.x.x - - [26/Dec/2006:10:44:56 +0000] "GET /projects/dvpfw/chrome/common/css/code.css HTTP/1.1" 304 -
x.x.x.x - - [26/Dec/2006:10:45:07 +0000] "GET /projects/dvpfw/roadmap HTTP/1.1" 200 5258
x.x.x.x - - [26/Dec/2006:10:45:13 +0000] "GET /projects/dvpfw/browser HTTP/1.1" 200 6324
x.x.x.x - - [26/Dec/2006:10:45:14 +0000] "GET /projects/dvpfw/chrome/common/css/browser.css HTTP/1.1" 200 3584
x.x.x.x - - [26/Dec/2006:10:45:14 +0000] "GET /projects/dvpfw/chrome/common/asc.png HTTP/1.1" 200 222
x.x.x.x - - [26/Dec/2006:10:45:15 +0000] "GET /projects/dvpfw/chrome/common/folder.png HTTP/1.1" 200 357
x.x.x.x - - [26/Dec/2006:10:45:18 +0000] "GET /projects/dvpfw/report HTTP/1.1" 200 8713
x.x.x.x - - [26/Dec/2006:10:45:19 +0000] "GET /projects/dvpfw/chrome/common/css/report.css HTTP/1.1" 200 4346
x.x.x.x - - [26/Dec/2006:10:45:27 +0000] "GET /projects/dvpfw/report/1 HTTP/1.1" 200 4569
x.x.x.x - - [26/Dec/2006:10:45:27 +0000] "GET /projects/dvpfw/chrome/common/xml.png HTTP/1.1" 200 452
x.x.x.x - - [26/Dec/2006:10:45:31 +0000] "GET /projects/dvpfw/newticket HTTP/1.1" 200 6049
x.x.x.x - - [26/Dec/2006:10:45:31 +0000] "GET /projects/dvpfw/chrome/common/css/ticket.css HTTP/1.1" 200 2354
x.x.x.x - - [26/Dec/2006:10:45:31 +0000] "GET /projects/dvpfw/chrome/common/js/wikitoolbar.js HTTP/1.1" 200 3019
x.x.x.x - - [26/Dec/2006:10:45:32 +0000] "GET /projects/dvpfw/search HTTP/1.1" 200 3928
x.x.x.x - - [26/Dec/2006:10:45:32 +0000] "GET /projects/dvpfw/chrome/common/css/search.css HTTP/1.1" 200 481
x.x.x.x - - [26/Dec/2006:10:45:34 +0000] "GET /projects/dvpfw/wiki HTTP/1.1" 200 5851
x.x.x.x - - [26/Dec/2006:10:46:01 +0000] "GET /projects/dvpfw/report/9 HTTP/1.1" 200 4594
x.x.x.x - - [26/Dec/2006:10:46:02 +0000] "GET /projects/dvpfw/chrome/common/css/trac.css HTTP/1.1" 304 -
x.x.x.x - - [26/Dec/2006:10:46:02 +0000] "GET /projects/dvpfw/chrome/common/css/report.css HTTP/1.1" 304 -
x.x.x.x - - [26/Dec/2006:10:46:02 +0000] "GET /projects/dvpfw/chrome/common/js/trac.js HTTP/1.1" 304 -
x.x.x.x - - [26/Dec/2006:10:46:02 +0000] "GET /projects/dvpfw/chrome/common/css/code.css HTTP/1.1" 304 -
x.x.x.x - - [26/Dec/2006:10:46:02 +0000] "GET /projects/dvpfw/chrome/common/topbar_gradient.png HTTP/1.1" 304 -
x.x.x.x - - [26/Dec/2006:10:46:02 +0000] "GET /projects/dvpfw/chrome/common/trac_banner.png HTTP/1.1" 304 -
x.x.x.x - - [26/Dec/2006:10:46:02 +0000] "GET /projects/dvpfw/chrome/common/trac_logo_mini.png HTTP/1.1" 304 -
x.x.x.x - - [26/Dec/2006:10:46:03 +0000] "GET /projects/dvpfw/chrome/common/xml.png HTTP/1.1" 304 -
x.x.x.x - - [26/Dec/2006:10:46:03 +0000] "GET /projects/dvpfw/chrome/common/topbar_gradient2.png HTTP/1.1" 304 -
x.x.x.x - - [26/Dec/2006:10:46:03 +0000] "GET /projects/dvpfw/chrome/common/dots.gif HTTP/1.1" 304 -
x.x.x.x - - [26/Dec/2006:10:46:04 +0000] "POST http://mail.google.com/mail/channel/bind?at=5aa75864bf050aeb-10fbe4944aa&VER=2&SID=DCD7091F899F40F1&RID=61477&zx=57pjf8-hrzx1m&t=1 HTTP/1.1" 404 215
x.x.x.x - - [26/Dec/2006:10:46:06 +0000] "POST http://mail.google.com/mail/channel/bind?at=5aa75864bf050aeb-10fbe4944aa&VER=2&SID=DCD7091F899F40F1&RID=61477&zx=57pjf8-hrzx1m&t=2 HTTP/1.1" 404 215
x.x.x.x - - [26/Dec/2006:10:46:08 +0000] "POST http://mail.google.com/mail/channel/bind?at=5aa75864bf050aeb-10fbe4944aa&VER=2&SID=DCD7091F899F40F1&RID=61477&zx=57pjf8-hrzx1m&t=3 HTTP/1.1" 400 226
x.x.x.x - - [26/Dec/2006:10:46:31 +0000] "GET /projects/dvpfw HTTP/1.1" 200 5851
x.x.x.x - - [26/Dec/2006:10:46:31 +0000] "GET /projects/dvpfw/chrome/common/css/trac.css HTTP/1.1" 304 -
x.x.x.x - - [26/Dec/2006:10:46:32 +0000] "GET /projects/dvpfw/chrome/common/js/trac.js HTTP/1.1" 304 -
x.x.x.x - - [26/Dec/2006:10:46:32 +0000] "GET /projects/dvpfw/chrome/common/css/wiki.css HTTP/1.1" 304 -
x.x.x.x - - [26/Dec/2006:10:46:32 +0000] "GET /projects/dvpfw/chrome/common/css/code.css HTTP/1.1" 304 -
x.x.x.x - - [26/Dec/2006:10:46:32 +0000] "GET /projects/dvpfw/chrome/common/trac_banner.png HTTP/1.1" 304 -
x.x.x.x - - [26/Dec/2006:10:46:32 +0000] "GET /projects/dvpfw/chrome/common/topbar_gradient.png HTTP/1.1" 304 -
x.x.x.x - - [26/Dec/2006:10:46:32 +0000] "GET /projects/dvpfw/chrome/common/trac_logo_mini.png HTTP/1.1" 304 -
x.x.x.x - - [26/Dec/2006:10:46:32 +0000] "GET /projects/dvpfw/chrome/common/dots.gif HTTP/1.1" 304 -
x.x.x.x - - [26/Dec/2006:10:46:32 +0000] "GET /projects/dvpfw/chrome/common/extlink.gif HTTP/1.1" 304 -
x.x.x.x - - [26/Dec/2006:10:46:32 +0000] "GET /projects/dvpfw/chrome/common/topbar_gradient2.png HTTP/1.1" 304 -
x.x.x.x - - [26/Dec/2006:10:46:46 +0000] "GET /projects/dvpfw/browser HTTP/1.1" 200 6324
x.x.x.x - - [26/Dec/2006:10:46:46 +0000] "GET /projects/dvpfw/chrome/common/css/browser.css HTTP/1.1" 304 -
x.x.x.x - - [26/Dec/2006:10:46:47 +0000] "GET /projects/dvpfw/chrome/common/asc.png HTTP/1.1" 304 -
x.x.x.x - - [26/Dec/2006:10:46:47 +0000] "GET /projects/dvpfw/chrome/common/folder.png HTTP/1.1" 304 -
x.x.x.x - - [26/Dec/2006:10:46:57 +0000] "GET /projects/dvpfw/browser/tags HTTP/1.1" 200 5616
x.x.x.x - - [26/Dec/2006:10:46:57 +0000] "GET /projects/dvpfw/chrome/common/parent.png HTTP/1.1" 200 228
x.x.x.x - - [26/Dec/2006:10:46:59 +0000] "GET /projects/dvpfw/browser/tags/dvpfw-0.1a HTTP/1.1" 200 14312
x.x.x.x - - [26/Dec/2006:10:47:00 +0000] "GET /projects/dvpfw/chrome/common/file.png HTTP/1.1" 200 285
x.x.x.x - - [26/Dec/2006:10:47:04 +0000] "POST http://mail.google.com/mail/channel/bind?at=5aa75864bf050aeb-10fbe4944aa&VER=2&SID=DCD7091F899F40F1&RID=61479&zx=6iiwht-649jov&t=1 HTTP/1.1" 404 215
x.x.x.x - - [26/Dec/2006:10:47:07 +0000] "POST http://mail.google.com/mail/channel/bind?at=5aa75864bf050aeb-10fbe4944aa&VER=2&SID=DCD7091F899F40F1&RID=61479&zx=6iiwht-649jov&t=2 HTTP/1.1" 404 215
x.x.x.x - - [26/Dec/2006:10:47:09 +0000] "POST http://mail.google.com/mail/channel/bind?at=5aa75864bf050aeb-10fbe4944aa&VER=2&SID=DCD7091F899F40F1&RID=61479&zx=6iiwht-649jov&t=3 HTTP/1.1" 404 215
x.x.x.x - - [26/Dec/2006:10:47:10 +0000] "GET /projects/dvpfw/browser/tags/dvpfw-0.1a/redist HTTP/1.1" 200 7045
x.x.x.x - - [26/Dec/2006:10:47:11 +0000] "POST http://mail.google.com/mail/channel/bind?at=5aa75864bf050aeb-10fbe4944aa&VER=2&SID=DCD7091F899F40F1&RID=61479&zx=6iiwht-649jov&t=4 HTTP/1.1" 404 215
x.x.x.x - - [26/Dec/2006:10:47:11 +0000] "GET http://www.google.com/url?rand=02feecb0841167130037187&q=http%3A%2F%2Fwww.google.com%2Fimages%2Fcleardot.gif HTTP/1.1" 404 201
x.x.x.x - - [26/Dec/2006:10:47:12 +0000] "POST http://mail.google.com/mail/?ik=02feecb084&view=bzr HTTP/1.1" 404 203
x.x.x.x - - [26/Dec/2006:10:47:15 +0000] "GET /projects/dvpfw/browser/tags/dvpfw-0.1a HTTP/1.1" 200 14312
x.x.x.x - - [26/Dec/2006:10:47:15 +0000] "GET http://mail.google.com/mail/channel/test?at=5aa75864bf050aeb-10fbe4944aa&MODE=init&zx=h5y8o3-a0bn5e&t=1 HTTP/1.1" 404 215
x.x.x.x - - [26/Dec/2006:10:47:15 +0000] "GET http://www.google.com/url?rand=02feecb0841167130041313&q=http%3A%2F%2Fwww.google.com%2Fimages%2Fcleardot.gif HTTP/1.1" 404 201
x.x.x.x - - [26/Dec/2006:10:47:18 +0000] "GET /projects/dvpfw/browser/tags/dvpfw-0.1a/.externalToolBuilders HTTP/1.1" 200 6668
x.x.x.x - - [26/Dec/2006:10:47:21 +0000] "GET /projects/dvpfw/browser/tags/dvpfw-0.1a HTTP/1.1" 200 14312
x.x.x.x - - [26/Dec/2006:10:47:22 +0000] "GET http://mail.google.com/mail/channel/test?at=5aa75864bf050aeb-10fbe4944aa&MODE=init&zx=unbim7-nkkxz3&t=1 HTTP/1.1" 404 215
x.x.x.x - - [26/Dec/2006:10:47:23 +0000] "GET http://www.google.com/url?rand=02feecb0841167130048453&q=http%3A%2F%2Fwww.google.com%2Fimages%2Fcleardot.gif HTTP/1.1" 404 201
x.x.x.x - - [26/Dec/2006:10:47:23 +0000] "GET /projects/dvpfw/browser/tags/dvpfw-0.1a/.settings HTTP/1.1" 200 7969
x.x.x.x - - [26/Dec/2006:10:47:27 +0000] "GET /projects/dvpfw/browser/tags/dvpfw-0.1a HTTP/1.1" 200 14312
x.x.x.x - - [26/Dec/2006:10:47:29 +0000] "GET /projects/dvpfw/browser/tags/dvpfw-0.1a/lib HTTP/1.1" 200 9561
x.x.x.x - - [26/Dec/2006:10:47:45 +0000] "GET /projects/dvpfw/browser/tags/dvpfw-0.1a HTTP/1.1" 200 14312
x.x.x.x - - [26/Dec/2006:10:48:00 +0000] "GET /projects/dvpfw/browser/tags/dvpfw-0.1a/src HTTP/1.1" 200 6377
x.x.x.x - - [26/Dec/2006:10:48:01 +0000] "GET http://b.mail.google.com/mail/channel/bind?at=5aa75864bf050aeb-10fbe4944aa&RID=rpc&SID=A2D41B13A172F7D7&CI=0&AID=4&TYPE=html&zx=j2hmh0-kk1tsu&DOMAIN=mail.google.com&t=1 HTTP/1.1" 404 215
x.x.x.x - - [26/Dec/2006:10:48:03 +0000] "GET /projects/dvpfw/browser/tags/dvpfw-0.1a/src/org HTTP/1.1" 200 6553
x.x.x.x - - [26/Dec/2006:10:48:05 +0000] "GET /projects/dvpfw/browser/tags/dvpfw-0.1a/src/org/arswiki HTTP/1.1" 200 7419
x.x.x.x - - [26/Dec/2006:10:48:07 +0000] "GET /projects/dvpfw/browser/tags/dvpfw-0.1a/src/org/arswiki/dvplugin HTTP/1.1" 200 7690
x.x.x.x - - [26/Dec/2006:10:48:09 +0000] "GET /projects/dvpfw/browser/tags/dvpfw-0.1a/src/org/arswiki/dvplugin/plugin HTTP/1.1" 200 7304
x.x.x.x - - [26/Dec/2006:10:48:19 +0000] "GET /projects/dvpfw/browser/tags/dvpfw-0.1a/src/org/arswiki/dvplugin/plugin/BasePlugin.java HTTP/1.1" 200 17991
x.x.x.x - - [26/Dec/2006:10:48:41 +0000] "GET /projects/dvpfw/browser/tags/dvpfw-0.1a/src/org/arswiki/dvplugin/plugin HTTP/1.1" 200 7304
x.x.x.x - - [26/Dec/2006:10:48:44 +0000] "GET /projects/dvpfw/browser/tags/dvpfw-0.1a/src/org/arswiki/dvplugin HTTP/1.1" 200 7690
x.x.x.x - - [26/Dec/2006:10:48:47 +0000] "GET /projects/dvpfw/browser/tags/dvpfw-0.1a/src/org/arswiki/dvplugin/util HTTP/1.1" 200 10116
x.x.x.x - - [26/Dec/2006:10:48:55 +0000] "GET /projects/dvpfw/browser/tags/dvpfw-0.1a/src/org/arswiki/dvplugin HTTP/1.1" 200 7690
x.x.x.x - - [26/Dec/2006:10:48:56 +0000] "POST http://mail.google.com/mail/channel/bind?at=5aa75864bf050aeb-10fbe4944aa&VER=4&RID=62961&CVER=2&zx=zfzv21-pgr3zq&t=1 HTTP/1.1" 404 215
x.x.x.x - - [26/Dec/2006:10:48:57 +0000] "GET http://www.google.com/url?rand=02feecb0841167130141767&q=http%3A%2F%2Fwww.google.com%2Fimages%2Fcleardot.gif HTTP/1.1" 404 201
x.x.x.x - - [26/Dec/2006:10:48:59 +0000] "GET /projects/dvpfw/browser/tags/dvpfw-0.1a/src/org/arswiki/dvplugin/plugin HTTP/1.1" 200 7304
x.x.x.x - - [26/Dec/2006:10:49:01 +0000] "GET /projects/dvpfw/browser/tags/dvpfw-0.1a/src/org/arswiki/dvplugin/plugin/BasePlugin.java HTTP/1.1" 200 17991
x.x.x.x - - [26/Dec/2006:10:49:06 +0000] "GET /projects/dvpfw/browser/tags/dvpfw-0.1a/src/org/arswiki/dvplugin/plugin HTTP/1.1" 200 7304
x.x.x.x - - [26/Dec/2006:10:49:07 +0000] "GET /projects/dvpfw/browser/tags/dvpfw-0.1a/src/org/arswiki/dvplugin HTTP/1.1" 200 7690
x.x.x.x - - [26/Dec/2006:10:49:08 +0000] "GET http://mail.google.com/mail/channel/test?at=5aa75864bf050aeb-10fbe4944aa&MODE=init&zx=8pcy3m-mg5hza&t=1 HTTP/1.1" 404 215
x.x.x.x - - [26/Dec/2006:10:49:08 +0000] "GET http://www.google.com/url?rand=02feecb0841167130153144&q=http%3A%2F%2Fwww.google.com%2Fimages%2Fcleardot.gif HTTP/1.1" 404 201
x.x.x.x - - [26/Dec/2006:10:49:09 +0000] "GET /projects/dvpfw/browser/tags/dvpfw-0.1a/src/org/arswiki/dvplugin/util HTTP/1.1" 200 10116
x.x.x.x - - [26/Dec/2006:10:49:17 +0000] "GET /projects/dvpfw/browser/tags/dvpfw-0.1a/src/org/arswiki/dvplugin HTTP/1.1" 200 7690
x.x.x.x - - [26/Dec/2006:10:49:18 +0000] "GET /projects/dvpfw/browser/tags/dvpfw-0.1a/src/org/arswiki HTTP/1.1" 200 7419
x.x.x.x - - [26/Dec/2006:10:49:21 +0000] "GET /projects/dvpfw/browser/tags/dvpfw-0.1a/src/org/arswiki/util HTTP/1.1" 200 6986
x.x.x.x - - [26/Dec/2006:10:49:25 +0000] "GET /projects/dvpfw/browser/tags/dvpfw-0.1a/src/org/arswiki/util/Mime.java HTTP/1.1" 200 24054
x.x.x.x - - [26/Dec/2006:10:49:38 +0000] "GET /projects/dvpfw/browser/tags/dvpfw-0.1a/src/org HTTP/1.1" 200 6553
x.x.x.x - - [26/Dec/2006:10:49:38 +0000] "GET /projects/dvpfw/browser/tags/dvpfw-0.1a/src HTTP/1.1" 200 6377
x.x.x.x - - [26/Dec/2006:10:49:39 +0000] "GET /projects/dvpfw/browser/tags/dvpfw-0.1a HTTP/1.1" 200 14312
x.x.x.x - - [26/Dec/2006:10:49:40 +0000] "GET /projects/dvpfw/browser/tags HTTP/1.1" 200 5616
x.x.x.x - - [26/Dec/2006:10:49:41 +0000] "GET /projects/dvpfw/browser HTTP/1.1" 200 6324
x.x.x.x - - [26/Dec/2006:10:49:46 +0000] "GET /projects/dvpfw/report HTTP/1.1" 200 8713
x.x.x.x - - [26/Dec/2006:10:49:46 +0000] "GET /projects/dvpfw/chrome/common/css/report.css HTTP/1.1" 304 -
x.x.x.x - - [26/Dec/2006:10:49:52 +0000] "GET /projects/dvpfw/report/2 HTTP/1.1" 200 4619
x.x.x.x - - [26/Dec/2006:10:49:52 +0000] "GET /projects/dvpfw/chrome/common/xml.png HTTP/1.1" 304 -
x.x.x.x - - [26/Dec/2006:10:49:58 +0000] "GET /projects/dvpfw/wiki HTTP/1.1" 200 5851

I since removed WIKI_CREATE and WIKI_MODIFY from anonymous.

Thanks, Axton Grams

Attachments (0)

Change History (6)

comment:1 by Emmanuel Blot, 18 years ago

Description: modified (diff)

(fixin' description)

comment:2 by Jonas Borgström, 18 years ago

I'm not sure I'm reading your apache log correctly, but it looks like somebody is using (or trying to) your server as an http proxy. Are you using mod_proxy?

But as far as I can tell all suspicious GET/POST requests failed with a 404 Not Found response.

comment:3 by axton.grams@…, 18 years ago

Apache config follows. I do not see mod_proxy. Thought it was suspicious, but I can't quiet understand what this person is attempting to do or how they got my server to do posts. I increased the Trac logging to see if I can catch any more info if it happens again.

inspirationaltechnologies% httpd -l Compiled in modules:

core.c mod_include.c mod_filter.c mod_log_config.c mod_env.c mod_setenvif.c mod_ssl.c prefork.c http_core.c mod_mime.c mod_status.c mod_autoindex.c mod_asis.c mod_cgi.c mod_negotiation.c mod_dir.c mod_actions.c mod_userdir.c mod_alias.c mod_so.c

The shared modules that get loaded include the following: inspirationaltechnologies% httpd -M Loaded Modules:

core_module (static) include_module (static) filter_module (static) log_config_module (static) env_module (static) setenvif_module (static) ssl_module (static) mpm_prefork_module (static) http_module (static) mime_module (static) status_module (static) autoindex_module (static) asis_module (static) cgi_module (static) negotiation_module (static) dir_module (static) actions_module (static) userdir_module (static) alias_module (static) so_module (static) auth_basic_module (shared) authn_alias_module (shared) authn_anon_module (shared) authn_dbd_module (shared) authn_dbm_module (shared) authn_default_module (shared) authn_file_module (shared) authz_dbm_module (shared) authz_default_module (shared) authz_groupfile_module (shared) authz_host_module (shared) authz_owner_module (shared) authz_user_module (shared) dav_module (shared) deflate_module (shared) rewrite_module (shared) python_module (shared) dav_svn_module (shared) authz_svn_module (shared)

Syntax OK inspirationaltechnologies% httpd -M Loaded Modules:

core_module (static) include_module (static) filter_module (static) log_config_module (static) env_module (static) setenvif_module (static) ssl_module (static) mpm_prefork_module (static) http_module (static) mime_module (static) status_module (static) autoindex_module (static) asis_module (static) cgi_module (static) negotiation_module (static) dir_module (static) actions_module (static) userdir_module (static) alias_module (static) so_module (static) auth_basic_module (shared) authn_alias_module (shared) authn_anon_module (shared) authn_dbd_module (shared) authn_dbm_module (shared) authn_default_module (shared) authn_file_module (shared) authz_dbm_module (shared) authz_default_module (shared) authz_groupfile_module (shared) authz_host_module (shared) authz_owner_module (shared) authz_user_module (shared) dav_module (shared) deflate_module (shared) rewrite_module (shared) python_module (shared) dav_svn_module (shared) authz_svn_module (shared)

Syntax OK

comment:4 by Tim Hatch, 18 years ago

I agree this is not a Trac issue, as the requests are being caught by Apache. If the x.x.x.x address is that of your client, I suggest checking it to see why it's sending such weird requests.

comment:5 by axton.grams@…, 18 years ago

Unfortunately, I can not communicate with the client because I do not know who they are, and based on the ARIN data for the ip, probably can't speak their language. My suspicion was the they were using Trac to post to other sites somehow, for reasons unknown (remote file include, redirect of auth params, etc.). The only thing this apache installation serves is Trac, so I was thinking they were somehow abusing trac or apache in some way in an attempt to redirect traffic. If you think this is not a trac issue, you can close this request. I will watch for this again, and if I can gather any more information that would lead me to believe the issue is trac related, I will post it to this ticket.

Axton Grams

comment:6 by Matthew Good, 18 years ago

Resolution: invalid
Status: newclosed

As jonas said it simply appears that someone is probing your site to see if it will act as an open proxy server. Based on the 404 responses it is not set up for this, so you have nothing to worry about. Unfortunately these types of probes are just a fact of running a public web server, but it doesn't reflect a vulnerability in Trac or Apache.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Jonas Borgström.
The resolution will be deleted. Next status will be 'reopened'.
to The owner will be changed from Jonas Borgström to the specified user.

Add Comment
E-mail address and name can be saved in the Preferences .
AttachmentsDescription
 
Note: See TracTickets for help on using tickets.