Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 201163 (CVE-2007-6203) - www-servers/apache < 2.2.6-r6 413 Request Entity Too Large XSS (CVE-2007-6203)
Summary: www-servers/apache < 2.2.6-r6 413 Request Entity Too Large XSS (CVE-2007-6203)
Status: RESOLVED FIXED
Alias: CVE-2007-6203
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/27906
Whiteboard: A4 [glsa]
Keywords:
Depends on: 204838
Blocks:
  Show dependency tree
 
Reported: 2007-12-04 01:22 UTC by Robert Buchholz (RETIRED)
Modified: 2008-03-11 21:49 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2007-12-04 01:22:48 UTC
CVE-2007-6203 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6203):
  Apache HTTP Server 2.0.x and 2.2.x does not sanitize the HTTP Method
  specifier header from an HTTP request when it is reflected back in a "413
  Request Entity Too Large" error message, which might allow cross-site
  scripting (XSS) style attacks using web client components that can send
  arbitrary headers in requests, as demonstrated via an HTTP request containing
  an invalid Content-length value, a similar issue to CVE-2006-3918.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2007-12-04 01:24:37 UTC
Apache herd, please advise.
Comment 2 Lubomir Rintel 2007-12-04 08:14:04 UTC
This has no security impact.
How do you trick user into sending garbage before actual request method name?
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2007-12-04 15:50:16 UTC
According to the advisory, flash movies can generate such requests:

From http://archives.neohapsis.com/archives/bugtraq/2006-07/0425.html :

var req:LoadVars=new LoadVars();
req.addRequestHeader("Foo","Bar");
req.send("http://www.vuln.site/some/page.cgi?p1=v1&p2=v2",
         "_blank","GET");

So if tricking a user to load a malicious flash movie, an attacker could redirect a user to a defaced URL on a remote server.
Comment 4 Lubomir Rintel 2007-12-05 18:56:52 UTC
If I understend correctly, you'd have to control the "GET" part of this:

> req.send("http://www.vuln.site/some/page.cgi?p1=v1&p2=v2",
>          "_blank","GET");

I am not able to check if it is possible, but the advisory sounds like it isn't:

> The reason why we didn't consider this vulnerability a security risk is
> because the attacker needs to force the victim's browser to submit a malformed
> HTTP method.

...

> However, in this case we need to spoof the HTTP METHOD to a specially-crafted
> value.
Comment 5 Benedikt Böhm (RETIRED) gentoo-dev 2007-12-15 14:34:45 UTC
fixed in 2.2.6-r6, but please dot stabilize this version now, since it is the first unmasked USE_EXPAND version of apache and still needs some testing. i don't think this is a problem since the vuln is not even acknowledged upstream but fixed in their svn branch anyway.
Comment 6 Benedikt Böhm (RETIRED) gentoo-dev 2008-01-07 23:05:28 UTC
2.2.6-r7 is ready for stabilization, see #204838
Comment 7 Benedikt Böhm (RETIRED) gentoo-dev 2008-01-10 16:18:47 UTC
this one is ready
Comment 8 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-01-12 21:39:12 UTC
time for glsa decision. I'll vote YES just because of the crash issue (bug #204410)
Comment 9 Sune Kloppenborg Jeppesen gentoo-dev 2008-01-13 14:05:05 UTC
Voting YES and filing.
Comment 10 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-03-11 21:49:29 UTC
GLSA 200803-19