W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2009

clients ignoring brokenness of sites

From: Adrien de Croy <adrien@qbik.com>
Date: Thu, 23 Jul 2009 14:00:25 +1200
Message-ID: <4A67C439.1090502@qbik.com>
To: HTTP Working Group <ietf-http-wg@w3.org>

Hi all

sorry, normally I wouldn't bother the list about this, but we had 
reports from a customer about a site that caused our proxy to return an 
error about a server malformed response.

The server response looked like this:

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Wed, 22 Jul 2009 02:33:56 GMT
X-Powered-By: ASP.NET
Connection: close
PHP Warning:  PHP Startup: sdo: Unable to initialize module
Module compiled with module API=20060613, debug=0, thread-safety=1
PHP    compiled with module API=20050922, debug=0, thread-safety=1
These options need to match
in Unknown on line 0
X-Powered-By: PHP/5.1.5
Content-type: text/html; charset=iso-8859-1


Normally this wouldn't be particularly interesting - just another broken 
site.  However all the browsers I tested swallowed this without 
complaining and displayed the body.  I tested IE8, Chrome, FF3.5 and 
Opera 9.6.4.  Each of the lines in the response was terminated by CRLF 
(not bare LF), so I'm struggling to see how anyone can interpret the PHP 
warning as anything resembling a valid header (even wrapped, since no 
leading WS).

Isn't this a potentially serious security problem?

It's hard to be the only proxy that decides to demonstrate how broken 
this site is - customers don't understand....

Cheers

Adrien

-- 
Adrien de Croy - WinGate Proxy Server - http://www.wingate.com
Received on Thursday, 23 July 2009 01:57:39 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:08 GMT