79799 2002-10-02  17:21  /102 rader/ mattmurphy@kc.rr.com <mattmurphy@kc.rr.com>
Importerad: 2002-10-02  17:21  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Extern mottagare: news@securiteam.com
Extern mottagare: vulnwatch@vulnwatch.org
Extern mottagare: vuln-dev@securityfocus.com
Externa svar till: mattmurphy@kc.rr.com
Mottagare: Bugtraq (import) <1738>
Ärende: Apache 2 Cross-Site Scripting
------------------------------------------------------------
This is being submitted without an update to Apache, but I am
expecting an  Apache Update Announcement shortly.  The CVE has
already assigned a candidate  to this (it is currently reserved), and
CERT has assigned VU#240329, but has  not created a write-up yet.
The reason for the ugly mail2web .sig is because  I'm posting from
school.

--- Advisory Follows ---

Apache 2.0 Cross-Site Scripting Vulnerability

Release Date:
October 2, 2002

Severity:
Medium (Session hijacking/possible compromise)

Systems Affected:
Apache 2.0 prior to 2.0.43

CVE: CAN-2002-0840

Description: A vulnerability exists in the SSI error pages of Apache
2.0 that involves  incorrect filtering of server signature data. The
vulnerability could enable  an attacker to hijack web sessions,
allowing a range of potential compromises  on the targeted host.

This particular attack involves a lack of filtering on HTTP/1.1
"Host"  headers, sent by most recent browsers. The vulnerability
occurs because  Apache doesn't filter maliciously malformed headers
containing HTML markup  before passing them onto the browser as
entity data.

The following URL will demonstrate the attack:

http://%3CIMG%20SRC%3D%22%22%20ONERROR%3D%22alert%28document%2Ecookie%29%22%
3 E.apachesite.org/raise_404

Some browsers submit the malicious host header when parsing this
request:

Host: <img src="" onerror="alert(document.cookie)">

Apache returns this malicious host in the form of a server signature:

<ADDRESS>Apache/2.0.39 Server at <IMG SRC="" 
ONERROR="alert(document.cookie)">.apachesite.org</ADDRESS>

Technical Description: A few browsers (Internet Explorer for
example), decode escaped hostnames in  URL components. With this
decoding done, the browser then sends on the  malicious HTTP/1.1
"Host" header, and bounces the request back, completing  the
attack. Mozilla could be exploited (as could several other additional
browsers) if JavaScript can be injected without spaces. However, I
wasn't  able to come up with a lab scenario for this.

Cross-site scripting vulnerabilities are often assumed to be small,
useless  exposures that aren't worth much attention. This is a false
assumption --  depending on the applications installed, a successful
privilege escalation  via XSS can result in complete compromise of a
web server, or other sensitive  systems. Further, the privacy risks
from XSS holes are severe -- many users  will be far less inclined to
visit a site that may accidentally cough up  their personal
information to an attacker.

Vendor Status: The Apache Software Foundation has released Apache
2.0.43 to eliminate this  vulnerability. It is available from
http://www.apache.org/dist/httpd/

Credit: * Thanks to Pedram Amini <pedram@redhive.com> for allowing me
to use his  Redhive machines for testing.

* Thanks to Jason Rafail of the CERT/CC for helping co-ordinate the
release  of information regarding this vulnerability.

* Thanks to the developers of Apache (and in particular, Mark Cox and
Cliff  Woolley) for a fast response to eliminate this vulnerability.

References:
This vulnerability has been included in the MITRE Common Vulnerabilities
and 
Exposures database as CAN-2002-0840 
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0840>, and the 
CERT/CC has assigned VU#240329 to this issue.

Disclaimer: The material in this advisory is subject to change. It is
believed accurate  based on experiments though there is no warranty
on the information provided.  I am not responsible for the results of
your use/misuse

--------------------------------------------------------------------
mail2web - Check your email from the web at
http://mail2web.com/ .
(79799) /mattmurphy@kc.rr.com <mattmurphy@kc.rr.com>/(Ombruten)