RE: Apache Multiple Injection Vulnerabilities
No offence meant, but in all of your advisory only the control-code =
stuff and possibly pissing off IPS/IDS systems makes sense.=20
But you need to have the user click a URL on a page you control. If a =
URL he clicks on your site makes the IPS/IDS shout alerts, he might just =
get a clue, and suspect your site instead of the site you linked to. =
Either way, it's harmless, as long as there are no weird bugs in =
browsers concerning this. But even then it's just as easy to make your =
own webserver spew out the harmful data.=20
Now correct me if I'm wrong, but your cache poisoning in combination =
with redirection only works if you can edit the html files accessed. =
Well now, if you can edit the html files, you can just put redirects in =
there. Now, I agree that it's a bug, but it's not a _security_ bug.
Other than that, the fact that the Host header is used to make =
redirects, is absolutely normal, not a bug, not a security bug by a long =
shot. If the user can reach a server with a certain hostname, getting a =
redirect with the same hostname is something you'd want. The fact that =
you can manually craft a header with a fake hostname doesn't mean you =
can get a user's browser to do that.
You have a nice "Proof of Concept" on your site, where you put some =
JavaScript in the Host header of the request. But how would you ever get =
a user's browser to have that crafted header? If you can control the =
browser to that extent, there are much much worse things you can do. And =
if you craft a URL with that as a hostname, the browser will not be able =
to resolve it to an IP.
Greetings,
Rogier
> -----Original Message-----
> From: hugo@infohacking.com [mailto:hugo@infohacking.com]
> Sent: woensdag 14 februari 2007 6:21
> To: bugtraq@securityfocus.com
> Subject: Apache Multiple Injection Vulnerabilities
>=20
> There's a new advisory at:
> =
http://www.infohacking.com/INFOHACKING_RESEARCH/Our_Advisories/apache/ind=
e
> x.html
>=20
> Summarizing:
>=20
> "1.- HTTP 404 error response almost arbitrary injection (Apache)
>=20
> Impact right now:
>=20
> a) fake virus injection in Apache 404 HTTP responses wich can lead in
> alarms on corporate gateway antivirus, lose of trust on supposed =
trusted
> sites, end user paranoid...
>=20
> b) Control codes injection -backspaces, etc.- thus allowing script
> injection in the server response. Right now it seems that this
> vulnerability is not
> affecting real browsers, just because of the "backspace" escaping in =
the
> clients, or due to other things. Anyway, the problem is that echoing =
back
> control codes is a violation of the Content-Type charset in the =
response
> and is IMHO a security risk.
>=20
> Impact in the future: REAL injection in Apache 404 HTTP responses of
> almost any kind of file, that is virus, binaries, trojans, etc. The
> attacker must
> be able to modify the "Content-Type" HTTP header of the server =
response.
> Also, due to some restrictions in the injected "payload", the attacker
> must avoid
> using some chars like null bytes.
>=20
> 2.- Location HTTP header injection in server redirect responses =
(Apache,
> IIS, Zeus 3.2, Google Web Server, Jigsaw/2.2.5, probably many
> others)
>=20
> Impact: Depending on the affected web server it could be a Denial of
> Service -when combined with a proxy cach=E9 poisoning-, HTTP URL
> redirection, etc."
This e-mail message and its attachments are subject to the disclaimer =
published at the following website of Casema: =
http://www.casema.nl/disclaimer