durusmail: quixote-users: PROPFIND and other methods
PROPFIND and other methods
2005-09-20
Mike Orr (2 parts)
2005-09-20
David Binger
2005-09-20
Mike Orr
2005-09-20
David Binger
2005-09-21
Mike Orr
2005-09-21
Mike Orr
PROPFIND and other methods
Mike Orr
2005-09-20
I found the following in my Quixote access log.

161.55.32.34 - 2005-09-17 10:39:50 483 "OPTIONS / HTTP/1.1" 200
'Microsoft-WebDAV-MiniRedir/5.1.2600' 0.00sec
161.55.32.34 - 2005-09-17 10:39:51 483 "PROPFIND /attachments
HTTP/1.1" 301 'Microsoft-WebDAV-MiniRedir/5.1.2600' 0.00sec
161.55.32.34 - 2005-09-17 10:39:51 483 "PROPFIND /attachments/
HTTP/1.1" 200 'Microsoft-WebDAV-MiniRedir/5.1.2600' 0.14sec
161.55.32.34 - 2005-09-17 10:39:51 483 "PROPFIND /attachments
HTTP/1.1" 301 'Microsoft-WebDAV-MiniRedir/5.1.2600' 0.00sec
161.55.32.34 - 2005-09-17 10:39:51 483 "PROPFIND /attachments/
HTTP/1.1" 200 'Microsoft-WebDAV-MiniRedir/5.1.2600' 0.00sec

I found nothing in the RFCs about these methods but these links
suggest it's an attack against an IIS server (which I don't have):
http://groups.google.com/group/microsoft.public.inetserver.iis/browse_frm/thread
/a9ecbf7ba3bd1794/31879151c845e65f?lnk=st&q=propfind&rnum=8#31879151c845e65f
http://www.iisfaq.com/default.aspx?View=A489

The application is responding normally, as if they were GET requests.
Shouldn't it be sending 501 Not Implemented?  Should this be Quixote's
default?

For OPTIONS, shouldn't it be sending a list of supported methods?

For TRACE, shouldn't it be echoing the headers back?

* * * * *
On another note, my error log has a bunch of these:

[2005-09-16 09:01:41] IOError while sending response ignored: [Errno
32] Broken pipe

Like I really care if the client has gone away.  Should I just patch
the publisher/logger to suppress these?

* * * * *
A third problem, which may be an Apache configuration issue.  The
access log for the HTTPS site has the correct client IPs.  But the log
for the HTTP site shows the server's IP for all requests.  I'm
guessing Apache is lying about the IP for some reason.

* * * * *
Finally, I tried to process the access log through Webalizer but it
wouldn't accept it.  The 'user' field is coming out as a multi-word
string ( str(user) ), so I changed it to the username and fed it to
Webalizer again.  I also added the missing second column (ident, as
'-') as required by the Common Logfile Format.  Still the same
problem: Webalizer thinks the entire rest of the line is the username.
 Even if the username is '-'.  I wrote a homegrown log analyzer
instead, but it would be nice to use Webalizer.  Is the default format
supposed to be CLF compatible?  One thing I miss is the referer; I'll
have to add that column.

I'm actually planning to make the logger put the access log in a SQL
database.  No reason to screw around with this format if I'm only
using it for one purpose.

* * * * *
Attached is a little program I wrote to display the headers returned
by a request, and to allow you to set the method (GET, OPTIONS,
PROPSET, etc).

--
Mike Orr  or
http_headers.py (application/octet-stream, 995 bytes)
reply