Subject: Apache 2 Cross-Site Scripting Date: Wed, 2 Oct 2002 08:59:28 -0400 From: "mattmurphy@kc.rr.com" <mattmurphy@kc.rr.com> To: bugtraq@securityfocus.com, news@securiteam.com, vulnwatch@vulnwatch.o= rg,=20 vuln-dev@securityfocus.com This is being submitted without an update to Apache, but I am expecting a= n Apache Update Announcement shortly. The CVE has already assigned a candidate to this (it is currently reserved), and CERT has assigned VU#240329, but has not created a write-up yet. The reason for the ugly mail2web .sig is because I'm posting from school. --- Advisory Follows --- Apache 2.0 Cross-Site Scripting Vulnerability Release Date: October 2, 2002 Severity: Medium (Session hijacking/possible compromise) Systems Affected: Apache 2.0 prior to 2.0.43 CVE: CAN-2002-0840 Description: A vulnerability exists in the SSI error pages of Apache 2.0 that involves incorrect filtering of server signature data. The vulnerability could enable an attacker to hijack web sessions, allowing a range of potential compromises on the targeted host. This particular attack involves a lack of filtering on HTTP/1.1 "Host" headers, sent by most recent browsers. The vulnerability occurs because Apache doesn't filter maliciously malformed headers containing HTML marku= p before passing them onto the browser as entity data. The following URL will demonstrate the attack: http://%3CIMG%20SRC%3D%22%22%20ONERROR%3D%22alert%28document%2Ecookie%29%= 22% 3 E.apachesite.org/raise_404 Some browsers submit the malicious host header when parsing this request: Host: <img src=3D"" onerror=3D"alert(document.cookie)"> Apache returns this malicious host in the form of a server signature: <ADDRESS>Apache/2.0.39 Server at <IMG SRC=3D"" ONERROR=3D"alert(document.cookie)">.apachesite.org</ADDRESS> Technical Description: A few browsers (Internet Explorer for example), decode escaped hostnames = in URL components. With this decoding done, the browser then sends on the malicious HTTP/1.1 "Host" header, and bounces the request back, completin= g the attack. Mozilla could be exploited (as could several other additional browsers) if JavaScript can be injected without spaces. However, I wasn't able to come up with a lab scenario for this. Cross-site scripting vulnerabilities are often assumed to be small, usele= ss exposures that aren't worth much attention. This is a false assumption -- depending on the applications installed, a successful privilege escalatio= n via XSS can result in complete compromise of a web server, or other sensitive systems. Further, the privacy risks from XSS holes are severe -- many use= rs will be far less inclined to visit a site that may accidentally cough up their personal information to an attacker. Vendor Status: The Apache Software Foundation has released Apache 2.0.43 to eliminate th= is vulnerability. It is available from http://www.apache.org/dist/httpd/ Credit: * Thanks to Pedram Amini <pedram@redhive.com> for allowing me to use his Redhive machines for testing. * Thanks to Jason Rafail of the CERT/CC for helping co-ordinate the relea= se of information regarding this vulnerability. * Thanks to the developers of Apache (and in particular, Mark Cox and Cli= ff Woolley) for a fast response to eliminate this vulnerability. References: This vulnerability has been included in the MITRE Common Vulnerabilities and Exposures database as CAN-2002-0840 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2002-0840>, and the CERT/CC has assigned VU#240329 to this issue. Disclaimer: The material in this advisory is subject to change. It is believed accura= te based on experiments though there is no warranty on the information provided. I am not responsible for the results of your use/misuse