lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 15 Feb 2007 20:39:19 +0200
From: Amit Klein <aksecurity@...il.com>
To: hugo@...ohacking.com
Cc: bugtraq@...urityfocus.com
Subject: Re: Apache Multiple Injection Vulnerabilities

hugo@...ohacking.com wrote:
> There's a new advisory at:
> http://www.infohacking.com/INFOHACKING_RESEARCH/Our_Advisories/apache/index.html
>
> Summarizing:
>
> [...]
>
> b) Control codes injection -backspaces, etc.- thus allowing script injection in the server response. Right now it seems that this vulnerability is not
> affecting real browsers, just because of the "backspace" escaping in the clients, or due to other things. Anyway, the problem is that echoing back control codes is a violation of the Content-Type charset in the response and is IMHO a security risk.
>
>   

Just a quick note: what you demonstrated is that "control characters" 
are returned in a response whose charset is "iso-8859-1". But your text 
later states that "ISO 8859-1 encodes ...". Notice the difference: 
"iso-8859-1" vs. "iso 8859-1" - hyphen vs. space. These are different 
character sets - iso-8859-1 is a superset of iso 8859-1, adding all 
those control characters and whatnot. From RFC-1345:

&charset ISO_8859-1:1987
  &rem source: ECMA registry
  &alias iso-ir-100
  &g1esc x2d41 &g2esc x2e41 &g3esc x2f41
  &alias ISO_8859-1
  &alias ISO-8859-1
  &alias latin1
  &alias l1
  &alias IBM819
  &alias CP819
  &code 0
  NU SH SX EX ET EQ AK BL BS HT LF VT FF CR SO SI
  DL D1 D2 D3 D4 NK SY EB CN EM SB EC FS GS RS US
  SP ! " Nb DO % & ' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ?
  At A B C D E F G H I J K L M N O P Q R S T U V W X Y Z <( // )> '> _
  '! a b c d e f g h i j k l m n o p q r s t u v w x y z (! !! !) '? DT
  PA HO BH NH IN NL SA ES HS HJ VS PD PU RI S2 S3
  DC P1 P2 TS CC MW SG EG SS GC SC CI ST OC PM AC
  NS !I Ct Pd Cu Ye BB SE ': Co -a << NO -- Rg '-
  DG +- 2S 3S '' My PI .M ', 1S -o >> 14 12 34 ?I
  A! A' A> A? A: AA AE C, E! E' E> E: I! I' I> I:
  D- N? O! O' O> O? O: *X O/ U! U' U> U: Y' TH ss
  a! a' a> a? a: aa ae c, e! e' e> e: i! i' i> i:
  d- n? o! o' o> o? o: -: o/ u! u' u> u: y' th y:

So those control characters are not in violation of the stated charset.

Thanks,
-Amit

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ