From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 21 Feb 2007 18:31:54 +0200
Subject: [NEWS] Apache Multiple Injection Vulnerabilities
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20070221170631.10E235950@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Apache Multiple Injection Vulnerabilities
------------------------------------------------------------------------
SUMMARY
Apache is the most widely deployed web server in the Internet. Originally
based on NCSA web server has grown a lot and actually is a big project
managed by the Apache Software Foundation. Apache is a wonderful software
and a good example of open source software power. Apache can be considered
also a perfect platform to learn about HTTP protocol and even more, to
learn about the problematic of implementing the
theory (RFC)into real code.
Multiple injection vulnerabilities were discovered in apache server, other
HTTP servers are suspected to be vulnerable as well.
DETAILS
To summarize the impacts:
1.- HTTP 404 error response almost arbitrary injection (Apache)
a) fake virus injection in Apache 404 HTTP responses which can lead in
alarms on corporate gateway anti virus, lose of trust on supposed trusted
sites, end user paranoid...
b) Control codes injection -backspaces, etc.- thus allowing script
injection in the server response. Right now it seems that this
vulnerability is not
affecting real browsers, just because of the "backspace" escaping in the
clients, or due to other things. Anyway, the problem is that echoing back
control codes is a violation of the Content-Type char set in the response
and is IMHO a security risk.
Impact in the future: REAL injection in Apache 404 HTTP responses of
almost any kind of file, that is virus, binaries, Trojans, etc. The
attacker must
be able to modify the "Content-Type" HTTP header of the server response.
Also, due to some restrictions in the injected "payload", the attacker
must avoid
using some chars like null bytes.
2.- Location HTTP header injection in server redirect responses (Apache,
IIS, Zeus 3.2, Google Web Server, Jigsaw/2.2.5, probably many others)
Depending on the affected web server it could be a Denial of Service -when
combined with a proxy cache poisoning-, HTTP URL redirection, etc."
For the full article please visit:
<http://www.infohacking.com/INFOHACKING_RESEARCH/Our_Advisories/apache/index.html>; http://www.infohacking.com/INFOHACKING_RESEARCH/Our_Advisories/apache/index.html
ADDITIONAL INFORMATION
The information has been provided by <mailto:hugo@infohacking.com.>
[email protected].
The original article can be found at:
<http://www.infohacking.com/INFOHACKING_RESEARCH/Our_Advisories/apache/index.html>; http://www.infohacking.com/INFOHACKING_RESEARCH/Our_Advisories/apache/index.html
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
