lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 16 Feb 2007 16:41:53 -0000
From: security@...s.com
To: bugtraq@...urityfocus.com
Subject: Re: Apache Multiple Injection Vulnerabilities

Vendor Response: Zeus Technology

Zeus have posted an assessment of this advisory, and how it affects users of Zeus Web Server at the following location:

http://support.zeus.com/zws/security/2007/02/15/location_http_header_injection_vulnerabi

A summary is as follows:

1. Zeus conforms that the "Error response arbitrary injection" method is not applicable to Zeus Web Server.

2. The "Location HTTP header injection" does affect Zeus Web Server, but only constitutes a vulnerability in a particular, uncommon use case for Zeus Web Server.

Assessment of the Location HTTP Header Injection vulnerability
-----------------------------------------------------------------

A web server should preserve a :port component in a URL when issuing a redirect.  This caters for the possibility that the public port is different to the actual internal port (for example, when running through a proxy on the same server).  

Webservers that preserve this information, such as Zeus Web Server, are behaving correctly in line with the HTTP specification (http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.23)

Zeus agree that preserving any path information in the host header is not correct behavior.  A more appropriate behaviour would be to return a 400 Bad Request response.

This problem should not affect ordinary web clients because no such clients will generate this erroneous host header value.

The author's assertion that a malicious attacker could use this behaviour to poison a web cache is incorrect in the vast majority of cases, because web caches ordinarily consider the host header when caching web responses.  The web cache could only be provoked into delivering the incorrect, cached response by sending a request with the fake host header.

A cache could be poisoned if it were deliberately configured to ignore the host header.  This would only be the case if the cache was acting as an acceleration device, fronting a single domain on one web server.

Zeus advise that if you are fronting Zeus Web Server with a reverse proxy cache that has been configured to ignore host headers, it may be possible to poison the cache and mount an effective Denial of Service attack.

Workaround

If you are concerned about this behaviour, you can configure Zeus Web Server to remove path and port components from host headers in a request. The following Request Rewriting rule can be applied to your virtual servers:

# Remove any trailing :port or /URL from Host header
match IN:Host into $ with ([^:/]*)
if matched then
  set IN:Host = $1
endif

Other Observations

Zeus Technology works closely with customers, evaluators, security professionals and other researchers to ensure its products are secure and free from defects. Any security-related comments received at security@...s.com, or through any other means, are treated as being of the utmost importance. Zeus respectfully requests that security issues are notified directly to Zeus before being publicly disclosed.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ