Re: Apache Multiple Injection Vulnerabilities
hugo@infohacking.com wrote:
> There's a new advisory at:
> http://www.infohacking.com/INFOHACKING_RESEARCH/Our_Advisories/apache/index.html
>
> Summarizing:
>
> [...]
>
> b) Control codes injection -backspaces, etc.- thus allowing script injection in the server response. Right now it seems that this vulnerability is not
> affecting real browsers, just because of the "backspace" escaping in the clients, or due to other things. Anyway, the problem is that echoing back control codes is a violation of the Content-Type charset in the response and is IMHO a security risk.
>
>
Just a quick note: what you demonstrated is that "control characters"
are returned in a response whose charset is "iso-8859-1". But your text
later states that "ISO 8859-1 encodes ...". Notice the difference:
"iso-8859-1" vs. "iso 8859-1" - hyphen vs. space. These are different
character sets - iso-8859-1 is a superset of iso 8859-1, adding all
those control characters and whatnot. From RFC-1345:
&charset ISO_8859-1:1987
&rem source: ECMA registry
&alias iso-ir-100
&g1esc x2d41 &g2esc x2e41 &g3esc x2f41
&alias ISO_8859-1
&alias ISO-8859-1
&alias latin1
&alias l1
&alias IBM819
&alias CP819
&code 0
NU SH SX EX ET EQ AK BL BS HT LF VT FF CR SO SI
DL D1 D2 D3 D4 NK SY EB CN EM SB EC FS GS RS US
SP ! " Nb DO % & ' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ?
At A B C D E F G H I J K L M N O P Q R S T U V W X Y Z <( // )> '> _
'! a b c d e f g h i j k l m n o p q r s t u v w x y z (! !! !) '? DT
PA HO BH NH IN NL SA ES HS HJ VS PD PU RI S2 S3
DC P1 P2 TS CC MW SG EG SS GC SC CI ST OC PM AC
NS !I Ct Pd Cu Ye BB SE ': Co -a << NO -- Rg '-
DG +- 2S 3S '' My PI .M ', 1S -o >> 14 12 34 ?I
A! A' A> A? A: AA AE C, E! E' E> E: I! I' I> I:
D- N? O! O' O> O? O: *X O/ U! U' U> U: Y' TH ss
a! a' a> a? a: aa ae c, e! e' e> e: i! i' i> i:
d- n? o! o' o> o? o: -: o/ u! u' u> u: y' th y:
So those control characters are not in violation of the stated charset.
Thanks,
-Amit
討論串 (同標題文章)
完整討論串 (本文為第 1 之 5 篇):