clients ignoring brokenness of sites

Hi all

sorry, normally I wouldn't bother the list about this, but we had 
reports from a customer about a site that caused our proxy to return an 
error about a server malformed response.

The server response looked like this:

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Wed, 22 Jul 2009 02:33:56 GMT
X-Powered-By: ASP.NET
Connection: close
PHP Warning:  PHP Startup: sdo: Unable to initialize module
Module compiled with module API=20060613, debug=0, thread-safety=1
PHP    compiled with module API=20050922, debug=0, thread-safety=1
These options need to match
in Unknown on line 0
X-Powered-By: PHP/5.1.5
Content-type: text/html; charset=iso-8859-1

Normally this wouldn't be particularly interesting - just another broken 
site.  However all the browsers I tested swallowed this without 
complaining and displayed the body.  I tested IE8, Chrome, FF3.5 and 
Opera 9.6.4.  Each of the lines in the response was terminated by CRLF 
(not bare LF), so I'm struggling to see how anyone can interpret the PHP 
warning as anything resembling a valid header (even wrapped, since no 
leading WS).

Isn't this a potentially serious security problem?

It's hard to be the only proxy that decides to demonstrate how broken 
this site is - customers don't understand....



Adrien de Croy - WinGate Proxy Server -

Received on Thursday, 23 July 2009 01:57:39 UTC