This is being submitted without an update to Apache, but I am expecting an
Apache Update Announcement shortly. The CVE has already assigned a
candidate
to this (it is currently reserved), and CERT has assigned VU#240329, but
has
not created a write-up yet. The reason for the ugly mail2web .sig is
because
I'm posting from school.

--- Advisory Follows ---

Apache 2.0 Cross-Site Scripting Vulnerability

Release Date:
October 2, 2002

Severity:
Medium (Session hijacking/possible compromise)

Systems Affected:
Apache 2.0 prior to 2.0.43

CVE: CAN-2002-0840

Description:
A vulnerability exists in the SSI error pages of Apache 2.0 that involves
incorrect filtering of server signature data. The vulnerability could
enable
an attacker to hijack web sessions, allowing a range of potential
compromises
on the targeted host.

This particular attack involves a lack of filtering on HTTP/1.1 "Host"
headers, sent by most recent browsers. The vulnerability occurs because
Apache doesn't filter maliciously malformed headers containing HTML markup
before passing them onto the browser as entity data.

The following URL will demonstrate the attack:

http://%3CIMG%20SRC%3D%22%22%20ONERROR%3D%22alert%28document%2Ecookie%29%22%
3
E.apachesite.org/raise_404

Some browsers submit the malicious host header when parsing this request:

Host: <img src="" onerror="alert(document.cookie)">

Apache returns this malicious host in the form of a server signature:

<ADDRESS>Apache/2.0.39 Server at <IMG SRC=""
ONERROR="alert(document.cookie)">.apachesite.org</ADDRESS>

Technical Description:
A few browsers (Internet Explorer for example), decode escaped hostnames in
URL components. With this decoding done, the browser then sends on the
malicious HTTP/1.1 "Host" header, and bounces the request back, completing
the attack. Mozilla could be exploited (as could several other additional
browsers) if JavaScript can be injected without spaces. However, I wasn't
able to come up with a lab scenario for this.

Cross-site scripting vulnerabilities are often assumed to be small, useless
exposures that aren't worth much attention. This is a false assumption --
depending on the applications installed, a successful privilege escalation
via XSS can result in complete compromise of a web server, or other
sensitive
systems. Further, the privacy risks from XSS holes are severe -- many users
will be far less inclined to visit a site that may accidentally cough up
their personal information to an attacker.

Vendor Status:
The Apache Software Foundation has released Apache 2.0.43 to eliminate this
vulnerability. It is available from http://www.apache.org/dist/httpd/

Credit:
* Thanks to Pedram Amini <pedram@redhive.com> for allowing me to use his
Redhive machines for testing.

* Thanks to Jason Rafail of the CERT/CC for helping co-ordinate the release
of information regarding this vulnerability.

* Thanks to the developers of Apache (and in particular, Mark Cox and Cliff
Woolley) for a fast response to eliminate this vulnerability.

References:
This vulnerability has been included in the MITRE Common Vulnerabilities
and
Exposures database as CAN-2002-0840
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0840>, and the
CERT/CC has assigned VU#240329 to this issue.

Disclaimer:
The material in this advisory is subject to change. It is believed accurate
based on experiments though there is no warranty on the information
provided.
I am not responsible for the results of your use/misuse

--------------------------------------------------------------------
mail2web - Check your email from the web at
http://mail2web.com/ .