exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Rapid7 Security Advisory 33

Rapid7 Security Advisory 33
Posted Aug 6, 2008
Authored by Rapid7, Marc Bevand | Site rapid7.com

Rapid7 Security Advisory - mod_proxy_ftp as included with Apache versions 2.2.9 and below and 2.0.63 and below suffers from a cross site scripting vulnerability.

tags | advisory, xss
advisories | CVE-2008-2939
SHA-256 | d723a57690d72923966acad66797f24628da48767d63926e982dee54557fc43f

Rapid7 Security Advisory 33

Change Mirror Download
Rapid7 Advisory R7-0033
Apache HTTP Server mod_proxy_ftp Wildcard Characters Cross-Site Scripting

Discovered: July 25, 2008
Published: August 5, 2008
Revision: 1.1
http://www.rapid7.com/advisories/R7-0033

CVE: CVE-2008-2939

1. Affected system(s):

KNOWN VULNERABLE:
o Apache HTTP Server 2.2.9 (and earlier 2.2.x versions)
o Apache HTTP Server 2.0.63 (and earlier 2.0.x versions)

NOT VULNERABLE:
o Apache HTTP Server 1.3.x (because mod_proxy_ftp doesn't support
wildcard
characters)

2. Summary

The mod_proxy_ftp module of the Apache HTTP Server is vulnerable to a
cross-site scripting vulnerability when handling requests with wildcard
characters (aka globbing characters).

3. Vendor status and information

Apache HTTP Server Project
http://httpd.apache.org

The developers were notified of this vulnerability on July 28, 2008 via
the private security mailing list security@apache.org. They
acknowledged it within 12 hours. On July 29, they assigned it a CVE ID.
On August 5, the vulnerability was fixed in all SVN branches:

o Commit to main trunk:
http://svn.apache.org/viewvc?view=rev&revision=682868
o Commit to 2.2 branch:
http://svn.apache.org/viewvc?view=rev&revision=682870
o Commit to 2.0 branch:
http://svn.apache.org/viewvc?view=rev&revision=682871

4. Solution

Upgrade to Apache HTTP Server 2.2.10 or 2.0.64 (as of August 6, these
have not been released yet), or apply the patch from SVN commit
r682868.

5. Detailed analysis

When Apache HTTP Server is configured with proxy support
("ProxyRequests On" in the configuration file), and when mod_proxy_ftp
is enabled to support FTP-over-HTTP, requests containing wildcard
characters (asterisk, tilde, opening square bracket, etc) such as:

GET ftp://host/*<foo> HTTP/1.0

lead to cross-site scripting in the response returned by mod_proxy_ftp:

[...]
<h2>Directory of <a href="/">ftp://host</a>/*<foo></h2>
[...]

To exploit this vulnerability, 'host' must be running an FTP server,
and the last directory component of the path (the XSS payload) must
be composed of at least 1 wildcard character and must not contain any
forward slashes. In practice, this last requirement is not an obstacle
at all to develop working exploits, example:

ftp://host/*<img%20src=""%20onerror="alert(42)">

6. Credit

Discovered by Marc Bevand of Rapid7.

7. Contact Information

Rapid7, LLC
Email: advisory@rapid7.com
Web: http://www.rapid7.com
Phone: +1 (617) 247-1717

8. Disclaimer and Copyright

Rapid7, LLC is not responsible for the misuse of the information
provided in our security advisories. These advisories are a service
to the professional security community. There are NO WARRANTIES with
regard to this information. Any application or distribution of this
information constitutes acceptance AS IS, at the user's own risk.
This information is subject to change without notice.

This advisory Copyright (C) 2008 Rapid7, LLC. Permission is hereby
granted to redistribute this advisory, providing that no changes are
made and that the copyright notices and disclaimers remain intact.
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    0 Files
  • 5
    Mar 5th
    0 Files
  • 6
    Mar 6th
    0 Files
  • 7
    Mar 7th
    0 Files
  • 8
    Mar 8th
    0 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    0 Files
  • 12
    Mar 12th
    0 Files
  • 13
    Mar 13th
    0 Files
  • 14
    Mar 14th
    0 Files
  • 15
    Mar 15th
    0 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    0 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close