Howto modify AT commands to overcome a security issue?

[ullixesp]

I am using a device (a Geiger counter), which uses an ESP8266 for WiFi, acting as a client. Unfortunately, this device sends the GET request to the server with a CR termination, while it should use CRLF.

Apache sees this as a security risk, and rejects the request with "400 Bad Request" and logs it as "malformed request line" (https://httpd.apache.org/security/vul..., scroll to "important: Apache HTTP Request Parsing Whitespace Defects (CVE-2016-8743)"). More discussion here: https://ask.wireshark.org/question/2431 ... d-request/

The AT command `<AT+GMR>` gives: `AT+GMR\r\r\nAT version:1.2.0.0(Jul 1 2016 20:04:45)\r\nSDK version:1.5.4.1 (39cb9a32) ... `. This seems to be pretty old, but, unfortunately, even if a newer one were available which delivers properly formed request lines, I can't use it, as the firmware is closed source.

I can, however, use AT commands on the device, and so I am wondering whether there is any way to modify how such request lines are formed using AT commands?

[ullixesp]

The above link to the Apache security issue is broken. Here is the proper one:
https://httpd.apache.org/security/vulne ... es_24.html

By the way: the Apache fix of this security issue was released in Dec 2016, so it came after the release of this AP version. Does anyone know whether later ESP-AT releases fixed this problem as well, or does it still exist in the code?

[Helen L]

I'm a little confused..I thought the HTTP was added to AT since 2020? https://github.com/espressif/esp-at/rel ... .0_esp8266

[ullixesp]

The ESP-AT was able to do http calls since 2016 at the latest. Albeit with that request, which is considered "malformed" since Dec 2106 at the latest.

[Alson]

AT version:1.2. 0.0 is too old!

Here I recommend that you use the latest AT version v2.2.1.0 for ESP8266 series. You can download firmware from https://github.com/espressif/esp-at/rel ... .0_esp8266.