Summary: | www-servers/apache < 2.2.6-r6 413 Request Entity Too Large XSS (CVE-2007-6203) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Robert Buchholz (RETIRED) <rbu> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | apache-bugs, bernd, chainsaw, lkundrak |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://secunia.com/advisories/27906 | ||
Whiteboard: | A4 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 204838 | ||
Bug Blocks: |
Description
Robert Buchholz (RETIRED)
2007-12-04 01:22:48 UTC
Apache herd, please advise. This has no security impact. How do you trick user into sending garbage before actual request method name? According to the advisory, flash movies can generate such requests: From http://archives.neohapsis.com/archives/bugtraq/2006-07/0425.html : var req:LoadVars=new LoadVars(); req.addRequestHeader("Foo","Bar"); req.send("http://www.vuln.site/some/page.cgi?p1=v1&p2=v2", "_blank","GET"); So if tricking a user to load a malicious flash movie, an attacker could redirect a user to a defaced URL on a remote server. If I understend correctly, you'd have to control the "GET" part of this: > req.send("http://www.vuln.site/some/page.cgi?p1=v1&p2=v2", > "_blank","GET"); I am not able to check if it is possible, but the advisory sounds like it isn't: > The reason why we didn't consider this vulnerability a security risk is > because the attacker needs to force the victim's browser to submit a malformed > HTTP method. ... > However, in this case we need to spoof the HTTP METHOD to a specially-crafted > value. fixed in 2.2.6-r6, but please dot stabilize this version now, since it is the first unmasked USE_EXPAND version of apache and still needs some testing. i don't think this is a problem since the vuln is not even acknowledged upstream but fixed in their svn branch anyway. 2.2.6-r7 is ready for stabilization, see #204838 this one is ready time for glsa decision. I'll vote YES just because of the crash issue (bug #204410) Voting YES and filing. GLSA 200803-19 |