201163 CVE-2007-6203 2007-12-04 01:22 0000 www-servers/apache < 2.2.6-r6 413 Request Entity Too Large XSS (CVE-2007-6203) 2008-03-11 21:49:29 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://secunia.com/advisories/27906 A4 [glsa] P2 minor --- 204838 1 rbu@gentoo.org security@gentoo.org apache-bugs@gentoo.org bernd@linx.net chainsaw@gentoo.org lkundrak@v3.sk rbu@gentoo.org 2007-12-04 01:22:48 0000 CVE-2007-6203 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6203): Apache HTTP Server 2.0.x and 2.2.x does not sanitize the HTTP Method specifier header from an HTTP request when it is reflected back in a "413 Request Entity Too Large" error message, which might allow cross-site scripting (XSS) style attacks using web client components that can send arbitrary headers in requests, as demonstrated via an HTTP request containing an invalid Content-length value, a similar issue to CVE-2006-3918. rbu@gentoo.org 2007-12-04 01:24:37 0000 Apache herd, please advise. lkundrak@v3.sk 2007-12-04 08:14:04 0000 This has no security impact. How do you trick user into sending garbage before actual request method name? rbu@gentoo.org 2007-12-04 15:50:16 0000 According to the advisory, flash movies can generate such requests: From http://archives.neohapsis.com/archives/bugtraq/2006-07/0425.html : var req:LoadVars=new LoadVars(); req.addRequestHeader("Foo","Bar"); req.send("http://www.vuln.site/some/page.cgi?p1=v1&p2=v2", "_blank","GET"); So if tricking a user to load a malicious flash movie, an attacker could redirect a user to a defaced URL on a remote server. lkundrak@v3.sk 2007-12-05 18:56:52 0000 If I understend correctly, you'd have to control the "GET" part of this: > req.send("http://www.vuln.site/some/page.cgi?p1=v1&p2=v2", > "_blank","GET"); I am not able to check if it is possible, but the advisory sounds like it isn't: > The reason why we didn't consider this vulnerability a security risk is > because the attacker needs to force the victim's browser to submit a malformed > HTTP method. ... > However, in this case we need to spoof the HTTP METHOD to a specially-crafted > value. hollow@gentoo.org 2007-12-15 14:34:45 0000 fixed in 2.2.6-r6, but please dot stabilize this version now, since it is the first unmasked USE_EXPAND version of apache and still needs some testing. i don't think this is a problem since the vuln is not even acknowledged upstream but fixed in their svn branch anyway. hollow@gentoo.org 2008-01-07 23:05:28 0000 2.2.6-r7 is ready for stabilization, see #204838 hollow@gentoo.org 2008-01-10 16:18:47 0000 this one is ready py@gentoo.org 2008-01-12 21:39:12 0000 time for glsa decision. I'll vote YES just because of the crash issue (bug #204410) jaervosz@gentoo.org 2008-01-13 14:05:05 0000 Voting YES and filing. py@gentoo.org 2008-03-11 21:49:29 0000 GLSA 200803-19