A fix for the Apache mod_dumpio module not dumping null bytes
Two weeks ago I wrote about my surprise in learning that the Apache mod_dumpio module does not dump null (i.e., zero) bytes. That shortcoming makes it difficult to analyze attacks that involve binary data such as Zip archives. That a module which claims to log all the data sent to or from an Apache web server does not actually do so is rather surprising and exasperating. Especially since the module has been around for at least nine years (earliest reference I could find was October 2006).
As recently as April 2015 someone with a Ph.D. posted on the SANS ISC forums that the Apache dumpio module could be used to log all data. It’s hard to believe that seemingly serious and highly credentialed security researchers have not noticed this module does not log all the data that passes through it. Or, for that matter, that no one else has noticed and fixed this problem in the decade since Jim Jagielski published this module.
I decided to fix this bug. Mostly because I wanted to see what the hackers were trying to upload to my server as a Zip archive in an attempt to exploit WordPress “revslider” plugin vulnerabilities. I intend to submit this updated mod_dumpio.c source code to the Apache project. In the meantime you can download it from here. If you want to install this under HomeBrew on Mac OS X send an email to krader@skepticism.us and I’ll provide guidance.