lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <200801150948200083.07601261@securityreason.com>
Date: Tue, 15 Jan 2008 09:48:20 +0100
From: "sp3x" <sp3x@...urityreason.com>
To: full-disclosure@...ts.grok.org.uk
Subject: SecurityReason - Apache (mod_status) Refresh
 Header - Open Redirector (XSS)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[SecurityReason - Apache (mod_status) Refresh Header - Open Redirector (XSS)]

Author: sp3x

Date:
- - Written: 15.12.2007
- - Public: 15.01.2008

SecurityReason Research
SecurityAlert Id: 50

CVE: CVE-2007-6388
SecurityRisk: Low

Affected Software: Apache 2.2.x (mod_status)
		   Apache 1.3.x
                   Apache 2.0.x

Advisory URL: http://securityreason.com/achievement_securityalert/50
Vendor: http://httpd.apache.org

- --- 0.Description ---

The Apache HTTP Server Project is an effort to develop and
maintain an open-source HTTP server for modern operating systems
including UNIX and Windows NT. The goal of this project is to
provide a secure, efficient and extensible server that provides
HTTP services in sync with the current HTTP standards.

Apache has been the most popular web server on the Internet since
April 1996. The November 2005 Netcraft Web Server Survey found
that more than 70% of the web sites on the Internet are using
Apache, thus making it more widely used than all other web
servers combined.

mod_status : http://httpd.apache.org/docs/2.0/mod/mod_status.html

- From apache site : "The Status module allows a server administrator to find out how well their server is performing. A HTML page is presented that gives the current server statistics in an easily readable form. If required this page can be made to automatically refresh (given a compatible browser). Another page gives a simple machine-readable list of the current server state."

- --- 1. Apache Refresh Header - Open Redirector (XSS) Vulnerability ---

During the fact that Apache mod_status do not filter char ";" we can inject new URL.
This fact give attacker open redirector and can lead to phishing attack.
Also attacker can create more advanced method to trigger XSS on victim's browser.

- --- 2. Exploit ---

SecurityReason is not going to release a exploit to the general public.
Exploit was provided and tested for Apache Team .

- --- 3. How to fix ---

Update to Apache 2.2.7-dev
	  Apache 1.3.40-dev
          Apache 2.0.62-dev

http://httpd.apache.org/security/vulnerabilities_22.html
http://httpd.apache.org/security/vulnerabilities_20.html
http://httpd.apache.org/security/vulnerabilities_13.html

- --- 4. References ---

A Refreshing Look at Redirection : http://www.securityfocus.com/archive/1/450418 by Amit Klein

- --- 5. Greets ---

For: Maksymilian Arciemowicz ( cXIb8O3 ), Infospec, pi3, p_e_a, mpp

- --- 6. Contact ---

Author: sp3x
Email: sp3x [at] securityreason [dot] com
GPG: http://securityreason.com/key/sp3x.gpg
http://securityreason.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.7 (GNU/Linux)

iD8DBQFHjGt7haZ93YsJSwQRAqD6AKDLNgb5jrXfwA/XvJsgabTyvAd+XACgw7WJ
nufKkakHNgwwqaLjZR464Fk=
=T+VM
-----END PGP SIGNATURE-----


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ