lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
From: mattmurphy at (
Subject: Apache 2 Cross-Site Scripting

This is being submitted without an update to Apache, but I am expecting an 
Apache Update Announcement shortly.  The CVE has already assigned a
candidate to this (it is currently reserved), and CERT has assigned 
VU#240329, but has not created a write-up yet.  The reason for the ugly 
mail2web .sig is because I'm posting from school.

--- Advisory Follows ---

Apache 2.0 Cross-Site Scripting Vulnerability

Release Date:
October 2, 2002

Medium (Session hijacking/possible compromise)

Systems Affected:
Apache 2.0 prior to 2.0.43

CVE: CAN-2002-0840

A vulnerability exists in the SSI error pages of Apache 2.0 that involves 
incorrect filtering of server signature data. The vulnerability could
an attacker to hijack web sessions, allowing a range of potential
on the targeted host.

This particular attack involves a lack of filtering on HTTP/1.1 "Host" 
headers, sent by most recent browsers. The vulnerability occurs because 
Apache doesn't filter maliciously malformed headers containing HTML markup 
before passing them onto the browser as entity data.

The following URL will demonstrate the attack:


Some browsers submit the malicious host header when parsing this request:

Host: <img src="" onerror="alert(document.cookie)">

Apache returns this malicious host in the form of a server signature:

<ADDRESS>Apache/2.0.39 Server at <IMG SRC="" 

Technical Description:
A few browsers (Internet Explorer for example), decode escaped hostnames in 
URL components. With this decoding done, the browser then sends on the 
malicious HTTP/1.1 "Host" header, and bounces the request back, completing 
the attack. Mozilla could be exploited (as could several other additional 
browsers) if JavaScript can be injected without spaces. However, I wasn't 
able to come up with a lab scenario for this.

Cross-site scripting vulnerabilities are often assumed to be small, useless 
exposures that aren't worth much attention. This is a false assumption -- 
depending on the applications installed, a successful privilege escalation 
via XSS can result in complete compromise of a web server, or other
systems. Further, the privacy risks from XSS holes are severe -- many users 
will be far less inclined to visit a site that may accidentally cough up 
their personal information to an attacker.

Vendor Status:
The Apache Software Foundation has released Apache 2.0.43 to eliminate this 
vulnerability. It is available from

* Thanks to Pedram Amini <> for allowing me to use his 
Redhive machines for testing.

* Thanks to Jason Rafail of the CERT/CC for helping co-ordinate the release 
of information regarding this vulnerability.

* Thanks to the developers of Apache (and in particular, Mark Cox and Cliff 
Woolley) for a fast response to eliminate this vulnerability.

This vulnerability has been included in the MITRE Common Vulnerabilities
Exposures database as CAN-2002-0840 
<>, and the 
CERT/CC has assigned VU#240329 to this issue.

The material in this advisory is subject to change. It is believed accurate 
based on experiments though there is no warranty on the information
I am not responsible for the results of your use/misuse 

mail2web - Check your email from the web at .

mail2web - Check your email from the web at .

Powered by blists - more mailing lists