mailing list archives
Apache 2 Cross-Site Scripting
From: "mattmurphy () kc rr com" <mattmurphy () kc rr com>
Date: Wed, 2 Oct 2002 08:59:28 -0400
This is being submitted without an update to Apache, but I am expecting an
Apache Update Announcement shortly. The CVE has already assigned a
to this (it is currently reserved), and CERT has assigned VU#240329, but
not created a write-up yet. The reason for the ugly mail2web .sig is
I'm posting from school.
--- Advisory Follows ---
Apache 2.0 Cross-Site Scripting Vulnerability
October 2, 2002
Medium (Session hijacking/possible compromise)
Apache 2.0 prior to 2.0.43
A vulnerability exists in the SSI error pages of Apache 2.0 that involves
incorrect filtering of server signature data. The vulnerability could
an attacker to hijack web sessions, allowing a range of potential
on the targeted host.
This particular attack involves a lack of filtering on HTTP/1.1 "Host"
headers, sent by most recent browsers. The vulnerability occurs because
Apache doesn't filter maliciously malformed headers containing HTML markup
before passing them onto the browser as entity data.
The following URL will demonstrate the attack:
Some browsers submit the malicious host header when parsing this request:
Host: <img src="" onerror="alert(document.cookie)">
Apache returns this malicious host in the form of a server signature:
<ADDRESS>Apache/2.0.39 Server at <IMG SRC=""
A few browsers (Internet Explorer for example), decode escaped hostnames in
URL components. With this decoding done, the browser then sends on the
malicious HTTP/1.1 "Host" header, and bounces the request back, completing
the attack. Mozilla could be exploited (as could several other additional
able to come up with a lab scenario for this.
Cross-site scripting vulnerabilities are often assumed to be small, useless
exposures that aren't worth much attention. This is a false assumption --
depending on the applications installed, a successful privilege escalation
via XSS can result in complete compromise of a web server, or other
systems. Further, the privacy risks from XSS holes are severe -- many users
will be far less inclined to visit a site that may accidentally cough up
their personal information to an attacker.
The Apache Software Foundation has released Apache 2.0.43 to eliminate this
vulnerability. It is available from http://www.apache.org/dist/httpd/
* Thanks to Pedram Amini <pedram () redhive com> for allowing me to use his
Redhive machines for testing.
* Thanks to Jason Rafail of the CERT/CC for helping co-ordinate the release
of information regarding this vulnerability.
* Thanks to the developers of Apache (and in particular, Mark Cox and Cliff
Woolley) for a fast response to eliminate this vulnerability.
This vulnerability has been included in the MITRE Common Vulnerabilities
Exposures database as CAN-2002-0840
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0840>, and the
CERT/CC has assigned VU#240329 to this issue.
The material in this advisory is subject to change. It is believed accurate
based on experiments though there is no warranty on the information
I am not responsible for the results of your use/misuse
mail2web - Check your email from the web at
- Apache 2 Cross-Site Scripting mattmurphy () kc rr com (Oct 02)