79799 2002-10-02 17:21 /102 rader/ mattmurphy@kc.rr.com <mattmurphy@kc.rr.com> Importerad: 2002-10-02 17:21 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Extern mottagare: news@securiteam.com Extern mottagare: vulnwatch@vulnwatch.org Extern mottagare: vuln-dev@securityfocus.com Externa svar till: mattmurphy@kc.rr.com Mottagare: Bugtraq (import) <1738> Ärende: Apache 2 Cross-Site Scripting ------------------------------------------------------------ This is being submitted without an update to Apache, but I am expecting an Apache Update Announcement shortly. The CVE has already assigned a candidate to this (it is currently reserved), and CERT has assigned VU#240329, but has not created a write-up yet. The reason for the ugly mail2web .sig is because I'm posting from school. --- Advisory Follows --- Apache 2.0 Cross-Site Scripting Vulnerability Release Date: October 2, 2002 Severity: Medium (Session hijacking/possible compromise) Systems Affected: Apache 2.0 prior to 2.0.43 CVE: CAN-2002-0840 Description: A vulnerability exists in the SSI error pages of Apache 2.0 that involves incorrect filtering of server signature data. The vulnerability could enable an attacker to hijack web sessions, allowing a range of potential compromises on the targeted host. This particular attack involves a lack of filtering on HTTP/1.1 "Host" headers, sent by most recent browsers. The vulnerability occurs because Apache doesn't filter maliciously malformed headers containing HTML markup before passing them onto the browser as entity data. The following URL will demonstrate the attack: http://%3CIMG%20SRC%3D%22%22%20ONERROR%3D%22alert%28document%2Ecookie%29%22% 3 E.apachesite.org/raise_404 Some browsers submit the malicious host header when parsing this request: Host: <img src="" onerror="alert(document.cookie)"> Apache returns this malicious host in the form of a server signature: <ADDRESS>Apache/2.0.39 Server at <IMG SRC="" ONERROR="alert(document.cookie)">.apachesite.org</ADDRESS> Technical Description: A few browsers (Internet Explorer for example), decode escaped hostnames in URL components. With this decoding done, the browser then sends on the malicious HTTP/1.1 "Host" header, and bounces the request back, completing the attack. Mozilla could be exploited (as could several other additional browsers) if JavaScript can be injected without spaces. However, I wasn't able to come up with a lab scenario for this. Cross-site scripting vulnerabilities are often assumed to be small, useless exposures that aren't worth much attention. This is a false assumption -- depending on the applications installed, a successful privilege escalation via XSS can result in complete compromise of a web server, or other sensitive systems. Further, the privacy risks from XSS holes are severe -- many users will be far less inclined to visit a site that may accidentally cough up their personal information to an attacker. Vendor Status: The Apache Software Foundation has released Apache 2.0.43 to eliminate this vulnerability. It is available from http://www.apache.org/dist/httpd/ Credit: * Thanks to Pedram Amini <pedram@redhive.com> for allowing me to use his Redhive machines for testing. * Thanks to Jason Rafail of the CERT/CC for helping co-ordinate the release of information regarding this vulnerability. * Thanks to the developers of Apache (and in particular, Mark Cox and Cliff Woolley) for a fast response to eliminate this vulnerability. References: This vulnerability has been included in the MITRE Common Vulnerabilities and Exposures database as CAN-2002-0840 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0840>, and the CERT/CC has assigned VU#240329 to this issue. Disclaimer: The material in this advisory is subject to change. It is believed accurate based on experiments though there is no warranty on the information provided. I am not responsible for the results of your use/misuse -------------------------------------------------------------------- mail2web - Check your email from the web at http://mail2web.com/ . (79799) /mattmurphy@kc.rr.com <mattmurphy@kc.rr.com>/(Ombruten)