Bug 201163 - www-servers/apache < 2.2.6-r6 413 Request Entity Too Large XSS (CVE-2007-6203)
Bug#: 201163 (CVE-2007-6203) Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: minor Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: rbu@gentoo.org
Component: Vulnerabilities
URL:  http://secunia.com/advisories/27906
Summary: www-servers/apache < 2.2.6-r6 413 Request Entity Too Large XSS (CVE-2007-6203)
Keywords:  
Status Whiteboard: A4 [glsa]
Opened: 2007-12-04 01:22 0000
Description:   Opened: 2007-12-04 01:22 0000 
CVE-2007-6203 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6203):
  Apache HTTP Server 2.0.x and 2.2.x does not sanitize the HTTP Method
  specifier header from an HTTP request when it is reflected back in a "413
  Request Entity Too Large" error message, which might allow cross-site
  scripting (XSS) style attacks using web client components that can send
  arbitrary headers in requests, as demonstrated via an HTTP request containing
  an invalid Content-length value, a similar issue to CVE-2006-3918.

------- Comment #1 From Robert Buchholz 2007-12-04 01:24:37 0000 ------- 
Apache herd, please advise.

------- Comment #2 From Lubomir Rintel 2007-12-04 08:14:04 0000 ------- 
This has no security impact.
How do you trick user into sending garbage before actual request method name?

------- Comment #3 From Robert Buchholz 2007-12-04 15:50:16 0000 ------- 
According to the advisory, flash movies can generate such requests:

From http://archives.neohapsis.com/archives/bugtraq/2006-07/0425.html :

var req:LoadVars=new LoadVars();
req.addRequestHeader("Foo","Bar");
req.send("http://www.vuln.site/some/page.cgi?p1=v1&p2=v2",
         "_blank","GET");

So if tricking a user to load a malicious flash movie, an attacker could
redirect a user to a defaced URL on a remote server.

------- Comment #4 From Lubomir Rintel 2007-12-05 18:56:52 0000 ------- 
If I understend correctly, you'd have to control the "GET" part of this:

> req.send("http://www.vuln.site/some/page.cgi?p1=v1&p2=v2",
>          "_blank","GET");

I am not able to check if it is possible, but the advisory sounds like it
isn't:

> The reason why we didn't consider this vulnerability a security risk is
> because the attacker needs to force the victim's browser to submit a malformed
> HTTP method.

...

> However, in this case we need to spoof the HTTP METHOD to a specially-crafted
> value.

------- Comment #5 From Benedikt Böhm 2007-12-15 14:34:45 0000 ------- 
fixed in 2.2.6-r6, but please dot stabilize this version now, since it is the
first unmasked USE_EXPAND version of apache and still needs some testing. i
don't think this is a problem since the vuln is not even acknowledged upstream
but fixed in their svn branch anyway.

------- Comment #6 From Benedikt Böhm 2008-01-07 23:05:28 0000 ------- 
2.2.6-r7 is ready for stabilization, see #204838

------- Comment #7 From Benedikt Böhm 2008-01-10 16:18:47 0000 ------- 
this one is ready

------- Comment #8 From Pierre-Yves Rofes 2008-01-12 21:39:12 0000 ------- 
time for glsa decision. I'll vote YES just because of the crash issue (bug
#204410)

------- Comment #9 From Sune Kloppenborg Jeppesen 2008-01-13 14:05:05 0000 ------- 
Voting YES and filing.

------- Comment #10 From Pierre-Yves Rofes 2008-03-11 21:49:29 0000 ------- 
GLSA 200803-19