full-disclosure-uk August 2008 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: [Full-disclosure] Apache HTTP Server mod_pro

[Full-disclosure] Apache HTTP Server mod_proxy_ftp Wildcard Characters Cross-Site Scripting

From: Marc Bevand <marc_bevand_at_nospam>
Date: Wed Aug 06 2008 - 17:25:26 GMT
To: full-disclosure@lists.grok.org.uk


Rapid7 Advisory R7-0033
Apache HTTP Server mod_proxy_ftp Wildcard Characters Cross-Site Scripting

   Discovered: July 25, 2008
   Published: August 5, 2008
   Revision: 1.1
   http://www.rapid7.com/advisories/R7-0033

   CVE: CVE-2008-2939

  1. Affected system(s):

   KNOWN VULNERABLE:
   o Apache HTTP Server 2.2.9 (and earlier 2.2.x versions)    o Apache HTTP Server 2.0.63 (and earlier 2.0.x versions)

   NOT VULNERABLE:
   o Apache HTTP Server 1.3.x (because mod_proxy_ftp doesn't support wildcard      characters)

2. Summary

   The mod_proxy_ftp module of the Apache HTTP Server is vulnerable to a    cross-site scripting vulnerability when handling requests with wildcard    characters (aka globbing characters).

3. Vendor status and information

   Apache HTTP Server Project
   http://httpd.apache.org

   The developers were notified of this vulnerability on July 28, 2008 via    the private security mailing list security@apache.org. They    acknowledged it within 12 hours. On July 29, they assigned it a CVE ID.    On August 5, the vulnerability was fixed in all SVN branches:

   o Commit to main trunk:
     http://svn.apache.org/viewvc?view=rev&revision=682868    o Commit to 2.2 branch:
     http://svn.apache.org/viewvc?view=rev&revision=682870    o Commit to 2.0 branch:
     http://svn.apache.org/viewvc?view=rev&revision=682871

4. Solution

   Upgrade to Apache HTTP Server 2.2.10 or 2.0.64 (as of August 6, these    have not been released yet), or apply the patch from SVN commit    r682868.

5. Detailed analysis

   When Apache HTTP Server is configured with proxy support    ("ProxyRequests On" in the configuration file), and when mod_proxy_ftp    is enabled to support FTP-over-HTTP, requests containing wildcard    characters (asterisk, tilde, opening square bracket, etc) such as:

     GET ftp://host/*<foo> HTTP/1.0

   lead to cross-site scripting in the response returned by mod_proxy_ftp:

[...]
<h2>Directory of ftp://host/*<foo></h2>
[...]

   To exploit this vulnerability, 'host' must be running an FTP server,    and the last directory component of the path (the XSS payload) must    be composed of at least 1 wildcard character and must not contain any    forward slashes. In practice, this last requirement is not an obstacle    at all to develop working exploits, example:

     ftp://host/*<img%20src=""%20onerror="alert(42)">

6. Credit

   Discovered by Marc Bevand of Rapid7.    

7. Contact Information

   Rapid7, LLC
   Email: advisory@rapid7.com
   Web: http://www.rapid7.com
   Phone: +1 (617) 247-1717

8. Disclaimer and Copyright

   Rapid7, LLC is not responsible for the misuse of the information    provided in our security advisories. These advisories are a service    to the professional security community. There are NO WARRANTIES with    regard to this information. Any application or distribution of this    information constitutes acceptance AS IS, at the user's own risk.    This information is subject to change without notice.

   This advisory Copyright (C) 2008 Rapid7, LLC. Permission is hereby    granted to redistribute this advisory, providing that no changes are    made and that the copyright notices and disclaimers remain intact.



Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/