-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[SecurityReason - Apache (mod_status) Refresh Header - Open Redirector (XSS)]

Author: sp3x

Date:
- - Written: 15.12.2007
- - Public: 15.01.2008

SecurityReason Research
SecurityAlert Id: 50

CVE: CVE-2007-6388
SecurityRisk: Low

Affected Software: Apache 2.2.x (mod_status)
       Apache 1.3.x
                   Apache 2.0.x

Advisory URL: http://securityreason.com/achievement_securityalert/50
Vendor: http://httpd.apache.org

- --- 0.Description ---

The Apache HTTP Server Project is an effort to develop and
maintain an open-source HTTP server for modern operating systems
including UNIX and Windows NT. The goal of this project is to
provide a secure, efficient and extensible server that provides
HTTP services in sync with the current HTTP standards.

Apache has been the most popular web server on the Internet since
April 1996. The November 2005 Netcraft Web Server Survey found
that more than 70% of the web sites on the Internet are using
Apache, thus making it more widely used than all other web
servers combined.

mod_status : http://httpd.apache.org/docs/2.0/mod/mod_status.html

- From apache site : "The Status module allows a server administrator to find out how well their server is performing. A HTML page is presented that gives the current server statistics in an easily readable form. If required this page can be made to automatically refresh (given a compatible browser). Another page gives a simple machine-readable list of the current server state."

- --- 1. Apache Refresh Header - Open Redirector (XSS) Vulnerability ---

During the fact that Apache mod_status do not filter char ";" we can inject new URL.
This fact give attacker open redirector and can lead to phishing attack.
Also attacker can create more advanced method to trigger XSS on victim's browser.

- --- 2. Exploit ---

SecurityReason is not going to release a exploit to the general public.
Exploit was provided and tested for Apache Team .

- --- 3. How to fix ---

Update to Apache 2.2.7-dev
    Apache 1.3.40-dev
          Apache 2.0.62-dev

http://httpd.apache.org/security/vulnerabilities_22.html
http://httpd.apache.org/security/vulnerabilities_20.html
http://httpd.apache.org/security/vulnerabilities_13.html

- --- 4. References ---

A Refreshing Look at Redirection : http://www.securityfocus.com/archive/1/450418 by Amit Klein

- --- 5. Greets ---

For: Maksymilian Arciemowicz ( cXIb8O3 ), Infospec, pi3, p_e_a, mpp

- --- 6. Contact ---

Author: sp3x
Email: sp3x [at] securityreason [dot] com
GPG: http://securityreason.com/key/sp3x.gpg
http://securityreason.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.7 (GNU/Linux)

iD8DBQFHjGt7haZ93YsJSwQRAqD6AKDLNgb5jrXfwA/XvJsgabTyvAd+XACgw7WJ
nufKkakHNgwwqaLjZR464Fk=
=T+VM
-----END PGP SIGNATURE-----