lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <487B42EF.8080401@procheckup.com>
Date: Mon, 14 Jul 2008 13:13:35 +0100
From: ProCheckUp Research <research@...checkup.com>
To: mcalautt@...il.com
Cc: bugtraq@...urityfocus.com
Subject: Re: PR07-37: XSS on Apache HTTP Server 413 error pages via malformed
 HTTP method

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

If the string with angle brackets ('<PROCHECKUP>') is NOT returned
anymore after making the Apache config changes, then the script
shouldn't print 'VULNERABLE'.

Did you reload the Apache configuration? i.e.:

sudo /etc/init.d/apache2 reload

You might want to do a manual test in order to find out why the script
still reports the host is vulnerable:

echo -en "<PROCHECKUP> / HTTP/1.1\nHost: localhost\nConnection:
close\nContent-length: 0\nContent-length: 0\n\n" | nc -w 4 localhost 80

mcalautt@...il.com wrote:
| what happens when you add a customer 413 page
| and the test script still says its vul ?
|
| is the script not working ?
|
|  ../bin/httpd -V
| Server version: Apache/2.0.54
| Server built:   Jul 25 2007 17:21:43
| Server compiled with....
|  -D APACHE_MPM_DIR="server/mpm/worker"
|  -D APR_HAS_SENDFILE
|  -D APR_HAS_MMAP
|  -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
|  -D APR_USE_SYSVSEM_SERIALIZE
|  -D APR_USE_PTHREAD_SERIALIZE
|  -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
|  -D APR_HAS_OTHER_CHILD
|  -D AP_HAVE_RELIABLE_PIPED_LOGS
|  -D HTTPD_ROOT="/usr/local/apache2"
|  -D SUEXEC_BIN="/usr/local/apache2/bin/suexec"
|  -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
|  -D DEFAULT_ERRORLOG="logs/error_log"
|  -D AP_TYPES_CONFIG_FILE="conf/mime.types"
|  -D SERVER_CONFIG_FILE="conf/httpd.conf"
|
| grep 413 httpd.conf
|      ErrorDocument 413 /error/413.html
|
|
| ./scan-413.sh localhost
| localhost is VULNERABLE!
|

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIe0LvoR/Hvsj3i8sRAsXeAJ46YzATvwE4s7b9x4uCvSVbKtGOXwCff5YF
b2QruMwnZ52vekxyeouCmEs=
=nJtl
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ