Apache2 Undefined Charset UTF-7 XSS Vulnerability

Advisory Content :

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[Apache2 Undefined Charset UTF-7 XSS Vulnerability ]

Author: SecurityReason
Maksymilian Arciemowicz (cXIb8O3)

Date:
- - Written: 08.08.2007
- - Public: 11.09.2007

SecurityReason Research
SecurityAlert Id: 46

CVE: CVE-2007-4465
SecurityRisk: Low

Affected Software: Apache 2.x (mod_autoindex)
Advisory URL: http://securityreason.com/achievement_securityalert/46
Vendor: http://httpd.apache.org

- --- 0.Description ---

The Apache HTTP Server Project is an effort to develop and maintain an
open-source HTTP server for modern operating systems including UNIX and
Windows NT. The goal of this project is to provide a secure, efficient and
extensible server that provides HTTP services in sync with the current HTTP
standards.

Apache has been the most popular web server on the Internet since April
1996. The November 2005 Netcraft Web Server Survey found that more than 70%
of the web sites on the Internet are using Apache, thus making it more
widely used than all other web servers combined.

- --- 1. Apache2 XSS Undefined Charset UTF-7 XSS Vulnerability ---

The XSS(UTF7) exist in mod_autoindex.c . Charset is not defined and we can
provide XSS attack using "P" option available in apache 2.2.4 by setting
Charset to UTF-7.

"P=pattern lists only files matching the given pattern"

More : http://httpd.apache.org/docs/2.0/mod/mod_autoindex.html

- -Source code from mod_autoindex.c--------------
#if APR_HAS_UNICODE_FS
ap_set_content_type(r, "text/html;charset=utf-8");
#else
ap_set_content_type(r, "text/html");
#endif
- -Source code from mod_autoindex.c--------------

if APR_HAS_UNICODE_FS is set to 1 then we have defined charset and this is
present on Windows systems . But on on unix , linux systems the charset is
not definded.

- --- EXAMPLE 1 ---
# telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'

GET /icons/ http/1.1
Host: localhost
Content-type: text/html
Keep-Alive: 300
Connection: keep-alive

HTTP/1.1 200 OK
Date: Thu, 09 Aug 2007 01:01:48 GMT
Server: Apache/1.3.29 (Unix) PHP/5.1.6 with Suhosin-Patch mod_ssl/2.8.16
OpenSSL/0.9.7j
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<TITLE>Index of /icons</TITLE>
</HEAD>
<BODY>
<H1>Index of /icons</H1>
...
- --- EXAMPLE 1 ---

- --- EXAMPLE 2 ---
# telnet httpd.apache.org 80
Trying 140.211.11.130...
Connected to httpd.apache.org.
Escape character is '^]'.

GET /icons/ http/1.1
Host: httpd.apache.org
Content-type: text/html
Keep-Alive: 300
Connection: keep-alive

HTTP/1.1 200 OK
Date: Wed, 08 Aug 2007 23:06:26 GMT
Server: Apache/2.3.0-dev (Unix)
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
<head>
<title>Index of /icons</title>
</head>
<body>
<h1>Index of /icons</h1>
...
- --- EXAMPLE 2 ---

Any request to folder /icons don't give charset in main header and in
<head></head> section. In requests like 400 404 etc charset is defined
(standard UTF8).

For example :

- --- EXAMPLE 3 (400) ---
# telnet 127.0.0.1 80
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
GET /%0 HTTP/1.1
Host: localhost

HTTP/1.1 400 Bad Request
Date: Thu, 09 Aug 2007 13:13:32 GMT
Server: Apache/1.3.29 (Unix) PHP/5.1.6 with Suhosin-Patch mod_ssl/2.8.16
OpenSSL/0.9.7j
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
...
- --- EXAMPLE 3 ---

- --- EXAMPLE 4 (404) ---
# telnet 127.0.0.1 80
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
GET /noex HTTP/1.1
Host: localhost

HTTP/1.1 404 Not Found
Date: Thu, 09 Aug 2007 13:14:48 GMT
Server: Apache/1.3.29 (Unix) PHP/5.1.6 with Suhosin-Patch mod_ssl/2.8.16
OpenSSL/0.9.7j
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
...
- --- EXAMPLE 4 ---

Any request from family 4xx is defined with charset. Because it is possible
put the text to site (like wrong patch) in 404. Main idea was that, anybody
can't put any text to this site with folder. And it was good idea, but in
apache 2.x exist option "P".
Like:

http://localhost/icons/?P=[Filter]

Any value gived to this variable is displayed in html text. For example :

http://localhost/icons/?P=Hallo

- --- HTML --------
<pre><img src="/icons/blank.gif" alt="Icon "> <a
href="?C=N;O=D;P=Hallo">Name</a>
- -----------------

- --- 2. Exploit ---

SecurityReason is not going to release a exploit to the general public.
Exploit was provided and tested for Apache Team .

- --- 3. How to fix ---

Update to Apache 2.2.6

http://www.apache.org/dist/httpd/CHANGES_2.2.6

- ---
mod_autoindex: Add in Type and Charset options to IndexOptions
directive. This allows the admin to explicitly set the
content-type and charset of the generated page and is therefore
a viable workaround for buggy browsers affected by CVE-2007-4465
(cve.mitre.org). [Jim Jagielski]
- ---

- --- 4. Greets ---

For: sp3x, Infospec, p_e_a

- --- 5. Contact ---

Author: SecurityReason [ Maksymilian Arciemowicz ( cXIb8O3 ) ]
Email: cxib [at] securityreason [dot] com
GPG: http://securityreason.pl/key/Arciemowicz.Maksymilian.gpg
http://securityreason.com
http://securityreason.pl
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (OpenBSD)

iD8DBQFG6F0A3Ke13X/fTO4RAg49AJ9ZYTCR02BWOxInIA0qybXBagnu4wCdFvlo
MGWmxpeZzSTbVKnHIP5M+2o=
=BrVf
-----END PGP SIGNATURE-----

Security

IT News

Search

SecurityAlert Database

About SecurityAlert

ExploitAlert Database

SecurityReason Research

WLB Database

Send to WLB

About WLB

Security Audit

Schedule

Prices of services

Contact

SecurityReason IT News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP

Contact

About SecurityReason

Apache2 Undefined Charset UTF-7 XSS Vulnerability