- From: Adrien de Croy <adrien@qbik.com>
- Date: Thu, 23 Jul 2009 14:00:25 +1200
- To: HTTP Working Group <ietf-http-wg@w3.org>
Hi all sorry, normally I wouldn't bother the list about this, but we had reports from a customer about a site that caused our proxy to return an error about a server malformed response. The server response looked like this: HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Wed, 22 Jul 2009 02:33:56 GMT X-Powered-By: ASP.NET Connection: close PHP Warning: PHP Startup: sdo: Unable to initialize module Module compiled with module API=20060613, debug=0, thread-safety=1 PHP compiled with module API=20050922, debug=0, thread-safety=1 These options need to match in Unknown on line 0 X-Powered-By: PHP/5.1.5 Content-type: text/html; charset=iso-8859-1 Normally this wouldn't be particularly interesting - just another broken site. However all the browsers I tested swallowed this without complaining and displayed the body. I tested IE8, Chrome, FF3.5 and Opera 9.6.4. Each of the lines in the response was terminated by CRLF (not bare LF), so I'm struggling to see how anyone can interpret the PHP warning as anything resembling a valid header (even wrapped, since no leading WS). Isn't this a potentially serious security problem? It's hard to be the only proxy that decides to demonstrate how broken this site is - customers don't understand.... Cheers Adrien -- Adrien de Croy - WinGate Proxy Server - http://www.wingate.com
Received on Thursday, 23 July 2009 01:57:39 UTC