Home page logo
/

bugtraq logo Bugtraq mailing list archives

Apache 2 Cross-Site Scripting
From: "mattmurphy () kc rr com" <mattmurphy () kc rr com>
Date: Wed, 2 Oct 2002 08:59:28 -0400

This is being submitted without an update to Apache, but I am expecting an 
Apache Update Announcement shortly.  The CVE has already assigned a
candidate 
to this (it is currently reserved), and CERT has assigned VU#240329, but
has 
not created a write-up yet.  The reason for the ugly mail2web .sig is
because 
I'm posting from school.

--- Advisory Follows ---

Apache 2.0 Cross-Site Scripting Vulnerability

Release Date:
October 2, 2002

Severity:
Medium (Session hijacking/possible compromise)

Systems Affected:
Apache 2.0 prior to 2.0.43

CVE: CAN-2002-0840

Description:
A vulnerability exists in the SSI error pages of Apache 2.0 that involves 
incorrect filtering of server signature data. The vulnerability could
enable 
an attacker to hijack web sessions, allowing a range of potential
compromises 
on the targeted host.

This particular attack involves a lack of filtering on HTTP/1.1 "Host" 
headers, sent by most recent browsers. The vulnerability occurs because 
Apache doesn't filter maliciously malformed headers containing HTML markup 
before passing them onto the browser as entity data.

The following URL will demonstrate the attack:

http://%3CIMG%20SRC%3D%22%22%20ONERROR%3D%22alert%28document%2Ecookie%29%22%
3
E.apachesite.org/raise_404

Some browsers submit the malicious host header when parsing this request:

Host: <img src="" onerror="alert(document.cookie)">

Apache returns this malicious host in the form of a server signature:

<ADDRESS>Apache/2.0.39 Server at <IMG SRC="" 
ONERROR="alert(document.cookie)">.apachesite.org</ADDRESS>

Technical Description:
A few browsers (Internet Explorer for example), decode escaped hostnames in 
URL components. With this decoding done, the browser then sends on the 
malicious HTTP/1.1 "Host" header, and bounces the request back, completing 
the attack. Mozilla could be exploited (as could several other additional 
browsers) if JavaScript can be injected without spaces. However, I wasn't 
able to come up with a lab scenario for this.

Cross-site scripting vulnerabilities are often assumed to be small, useless 
exposures that aren't worth much attention. This is a false assumption -- 
depending on the applications installed, a successful privilege escalation 
via XSS can result in complete compromise of a web server, or other
sensitive 
systems. Further, the privacy risks from XSS holes are severe -- many users 
will be far less inclined to visit a site that may accidentally cough up 
their personal information to an attacker.

Vendor Status:
The Apache Software Foundation has released Apache 2.0.43 to eliminate this 
vulnerability. It is available from http://www.apache.org/dist/httpd/

Credit:
* Thanks to Pedram Amini <pedram () redhive com> for allowing me to use his 
Redhive machines for testing.

* Thanks to Jason Rafail of the CERT/CC for helping co-ordinate the release 
of information regarding this vulnerability.

* Thanks to the developers of Apache (and in particular, Mark Cox and Cliff 
Woolley) for a fast response to eliminate this vulnerability.

References:
This vulnerability has been included in the MITRE Common Vulnerabilities
and 
Exposures database as CAN-2002-0840 
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0840>, and the 
CERT/CC has assigned VU#240329 to this issue.

Disclaimer:
The material in this advisory is subject to change. It is believed accurate 
based on experiments though there is no warranty on the information
provided. 
I am not responsible for the results of your use/misuse 

--------------------------------------------------------------------
mail2web - Check your email from the web at
http://mail2web.com/ .



  By Date           By Thread  

Current thread:
  • Apache 2 Cross-Site Scripting mattmurphy () kc rr com (Oct 02)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]