lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20080518060902.17799.qmail@securityfocus.com>
Date: 18 May 2008 06:09:02 -0000
From: Tom.Donovan@....org
To: bugtraq@...urityfocus.com
Subject: Re: Re: Re: Re: Re: Apache Server HTML Injection and UTF-7 XSS
 Vulnerability

re: "set 403 page's charset in the server side by writing it in your server code"

Apache *does* set the charset in the HTTP header.  It is set to iso-8859-1 by default.

Adding a <meta http-equiv> tag with the iso-8859-1 charset does not change the browser behavior.  See below for the captured response from a test with this change.

The user can still manually override the charset to UTF-7 via the browser menu, regardless of anything the Apache server sends.

re: "There is no problem to trick the victim and force him to change the encoding of his browser by little social engineering"

For the Apache 403 error page, the only opportunity to "trick" the victim is within the URL itself. It would be quite a feat of social engineering to do this within a URL, between the phrases "You don't have permission to access" and "on this server".

There are many possible malicious strings in UTF-7, and any sequence of character values less than 0x80 starting with a "+" is potentially a UTF-7 string.  This is why it is not appropriate for browsers to automatically interpret text as UTF-7.  Preventing a user from manually overriding the specified charset and interpreting strings as UTF-7 is not something a web server can do. If you feel this manual function should be disabled in browsers, it may be better to let the browser developers know.

re: percent-encoding the "+" character in URLs

The "+" character is a reserved character in URIs per RFC2396 (see section 2.2 Reserved Characters). RFC3986 goes further and explains why reserved characters like "+" should not be percent-encoded:

  "Percent-encoding a reserved character, or decoding a percent-encoded octet
   that corresponds to a reserved character, will change how the URI is
   interpreted by most applications.  Thus, characters in the reserved
   set are protected from normalization and are therefore safe to be
   used by scheme-specific and producer-specific algorithms for
   delimiting data subcomponents within a URI."

A previous writer has correctly noted that Microsoft recommends just the opposite: that "+" characters should be percent-encoded.

Below are the responses to your test URL from various versions of Apache servers on different platforms. Note that the iso-8859-1 charset is specified by the Content-Type header in all cases. The last example is with Apache 2.2.8 modified to include a <meta http-equiv> tag in the body.  The behavior remains the same in both Firefox or IE with this change.

It is a problem for web server developers when a vulnerability is accepted and propagated with a description like:
"here is a malicious URL - the victim must perform these manual steps with it - We leave it to other hackers to upgrade the attack and make it fully automatic."

It is a disappointment that CVE-2008-2168 was accepted so uncritically.

Regards,
-tom-


====================================================================

HTTP/1.1 403 Forbidden
Date: Sun, 18 May 2008 02:25:31 GMT
Server: Apache/2.2.3 (CentOS)
Content-Length: 590
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /Znl5g3k70ZaBUPYmN5RAGUdkskoprzGI63K4mIj2sqzbX0Kc3Fu7vfthepWhmKvjudPuJTNeK9zw5MaZ1yXJi8RJRRuPe5UahFwOblMXsIPTGh3pVjTLdim3vuTKgdazOG9idQbIjbnpMEco8Zlo5xNRuCoviPx7x7tYYeOgc8HU46gaecJwnHY7f6GlQB8H6kBFhjoIaHE1SQPhU5VReCz1olPh5jZ&lt;font size=50&gt;DEFACED&lt;!xc+ADw-script+AD4-alert('xss')+ADw-/script+AD4---//--
on this server.</p>
<hr>
<address>Apache/2.2.3 (CentOS) Server at www.example.com Port 80</address>
</body></html>

====================================================================

HTTP/1.1 403 Forbidden
Date: Sun, 18 May 2008 02:37:17 GMT
Server: Apache/2.2.8 (Win32) mod_ssl/2.2.8 OpenSSL/0.9.8g SVN/1.4.6 DAV/2 mod_perl/2.0.4 Perl/v5.10.0
Content-Length: 510
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /Znl5g3k70ZaBUPYmN5RAGUdkskoprzGI63K4mIj2sqzbX0Kc3Fu7vfthepWhmKvjudPuJTNeK9zw5MaZ1yXJi8RJRRuPe5UahFwOblMXsIPTGh3pVjTLdim3vuTKgdazOG9idQbIjbnpMEco8Zlo5xNRuCoviPx7x7tYYeOgc8HU46gaecJwnHY7f6GlQB8H6kBFhjoIaHE1SQPhU5VReCz1olPh5jZ&lt;font size=50&gt;DEFACED&lt;!xc+ADw-script+AD4-alert('xss')+ADw-/script+AD4---//--
on this server.</p>
</body></html>

====================================================================

HTTP/1.1 403 Forbidden
Date: Sun, 18 May 2008 02:47:29 GMT
Server: Apache/2.2.8 (Debian) DAV/2 SVN/1.4.6 PHP/5.2.5-3 with Suhosin-Patch mod_python/3.3.1 Python/2.4.5
Content-Length: 666
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /Znl5g3k70ZaBUPYmN5RAGUdkskoprzGI63K4mIj2sqzbX0Kc3Fu7vfthepWhmKvjudPuJTNeK9zw5MaZ1yXJi8RJRRuPe5UahFwOblMXsIPTGh3pVjTLdim3vuTKgdazOG9idQbIjbnpMEco8Zlo5xNRuCoviPx7x7tYYeOgc8HU46gaecJwnHY7f6GlQB8H6kBFhjoIaHE1SQPhU5VReCz1olPh5jZ&lt;font size=50&gt;DEFACED&lt;!xc+ADw-script+AD4-alert('xss')+ADw-/script+AD4---//--
on this server.</p>
<hr>
<address>Apache/2.2.8 (Debian) DAV/2 SVN/1.4.6 PHP/5.2.5-3 with Suhosin-Patch mod_python/3.3.1 Python/2.4.5 Server at www.victim.com Port 80</address>
</body></html>

====================================================================

HTTP/1.1 403 Forbidden
Date: Sun, 18 May 2008 04:45:49 GMT
Server: Apache/1.3.33 (Unix)
Keep-Alive: timeout=15, max=97
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1

23c
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>403 Forbidden</TITLE>
</HEAD><BODY>
<H1>Forbidden</H1>
You don't have permission to access /Znl5g3k70ZaBUPYmN5RAGUdkskoprzGI63K4mIj2sqzbX0Kc3Fu7vfthepWhmKvjudPuJTNeK9zw5MaZ1yXJi8RJRRuPe5UahFwOblMXsIPTGh3pVjTLdim3vuTKgdazOG9idQbIjbnpMEco8Zlo5xNRuCoviPx7x7tYYeOgc8HU46gaecJwnHY7f6GlQB8H6kBFhjoIaHE1SQPhU5VReCz1olPh5jZ&lt;font size=50&gt;DEFACED&lt;!xc+ADw-script+AD4-alert('xss')+ADw-/script+AD4---//--
on this server.<P>
<HR>
<ADDRESS>Apache/1.3.33 Server at localhost Port 80</ADDRESS>
</BODY></HTML>

0

====================================================================

HTTP/1.1 403 Forbidden
Date: Sun, 18 May 2008 02:53:10 GMT
Server: Apache/2.2.8 (Win32) mod_ssl/2.2.8 OpenSSL/0.9.8g SVN/1.4.6 DAV/2 mod_perl/2.0.4 Perl/v5.10.0
Content-Length: 583
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /Znl5g3k70ZaBUPYmN5RAGUdkskoprzGI63K4mIj2sqzbX0Kc3Fu7vfthepWhmKvjudPuJTNeK9zw5MaZ1yXJi8RJRRuPe5UahFwOblMXsIPTGh3pVjTLdim3vuTKgdazOG9idQbIjbnpMEco8Zlo5xNRuCoviPx7x7tYYeOgc8HU46gaecJwnHY7f6GlQB8H6kBFhjoIaHE1SQPhU5VReCz1olPh5jZ&lt;font size=50&gt;DEFACED&lt;!xc+ADw-script+AD4-alert('xss')+ADw-/script+AD4---//--
on this server.</p>
</body></html>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ