Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 209899 (CVE-2008-0455)

Summary: www-servers/apache mod_negotiation XSS and CRLF injection (CVE-2008-{0455,0456})
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: apache-bugs
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.mindedsecurity.com/MSA01150108.html
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description Robert Buchholz (RETIRED) gentoo-dev 2008-02-12 18:54:08 UTC 
CVE-2008-0455 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0455):
  Cross-site scripting (XSS) vulnerability in the mod_negotiation module in the
  Apache HTTP Server 2.2.6 and earlier in the 2.2.x series, 2.0.61 and earlier
  in the 2.0.x series, and 1.3.39 and earlier in the 1.3.x series allows remote
  authenticated users to inject arbitrary web script or HTML by uploading a
  file with a name containing XSS sequences and a file extension, which leads
  to injection within a (1) "406 Not Acceptable" or (2) "300 Multiple Choices"
  HTTP response when the extension is omitted in a request for the file.

CVE-2008-0456 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0456):
  CRLF injection vulnerability in the mod_negotiation module in the Apache HTTP
  Server 2.2.6 and earlier in the 2.2.x series, 2.0.61 and earlier in the 2.0.x
  series, and 1.3.39 and earlier in the 1.3.x series allows remote
  authenticated users to inject arbitrary HTTP headers and conduct HTTP
  response splitting attacks by uploading a file with a multi-line name
  containing HTTP header sequences and a file extension, which leads to
  injection within a (1) "406 Not Acceptable" or (2) "300 Multiple Choices"
  HTTP response when the extension is omitted in a request for the file.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-02-12 18:58:35 UTC 
Apache herd, is this already fixed in our stable 2.2.8? I could not find any info on that.
Comment 2 Benedikt Böhm (RETIRED) gentoo-dev 2008-02-23 19:45:16 UTC 
both CVEs affect <=2.2.6 only, only arm s390 and sh missing, but already requested in bug 205195
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2008-02-24 13:29:37 UTC 
We're they stable at the time of filing this bug? If that is the case it should be closed as invalid. Otherwise I guess we should proceed to glsa? status.
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-02-24 17:54:13 UTC 
Our last GLSA marks 2.2.6 as secure, so we can GLSA this together with the other bugs fixed in 2.2.8. A YES for me.
Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2008-02-25 20:10:31 UTC 
Voting YES and commented on draft.
Comment 6 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-03-11 21:51:35 UTC 
GLSA 200803-19