[Owasp-brazil] Fw: Apache HTTP Server EXPECT Header Default Error Page Arbitrary HTML Injection

Zaninotti, Thiago thiago at zaninotti.net
Thu Apr 20 15:11:55 EDT 2006


Pessoal,

Durante minhas pesquisas com a nova ferramenta de scanner de aplicações Web 
desenvolvidas pela minha empresa (N-Stalker), cheguei a um problema que 
afeta todos os códigos atuais do Apache (incluindo 1.3/2.0/2.2). Entrei em 
contato com a lista de segurança do Apache e debatemos bem "calorosamente" a 
questão e ficou decidido que o bug não seria classificado como problema de 
Segurança.

O fato é que o problema pode ser explorado em situações específicas e 
gostaria de colocar em primeira mão para o capítulo OWASP-BR para 
discutirmos um pouco.

A resposta do apache terminou da seguinte forma:
http://svn.apache.org/viewcvs?rev=394965&view=rev


Abraços,
Thiago Zaninotti


----- Original Message ----- 
From: "Zaninotti, Thiago" <thiago at nstalker.com>
To: <security at apache.org>
Sent: Monday, April 10, 2006 5:27 PM
Subject: Apache HTTP Server EXPECT Header Default Error Page Arbitrary HTML 
Injection


> Dear Apache Security Staff,
>
> First of all, I would like to congratulate the efforts of Apache 
> Foundation to keep the product on such a stable and secure condition.
>
> We have found a low/medium vulnerability in the Apache HTTP Server, more 
> specifically in the default Error pages. The condition may be triggered 
> when a malformed Expect header field is appended to the user's request. 
> The Error Page is the 417 Expectation Failed (http_protocol.c line 1286).
>
> Before submitting it for public disclosure, it is reasonable to provide 
> advanced details to Apache Foundation in order to fix the problem.
>
> Please, let us know what would be the best date to release the advisory 
> and if you would like to make any statement/adjustments with the 
> information below.
>
> Once again, thanks for your attention and the excellent work given to the 
> community.
>
> Kindest Regards,
> Thiago Zaninotti
>
> ================== ADVISORY FOLLOWS BELOW 
> ==================================
>
>
>     N-STALKER WEB SECURITY INTELLIGENCE ADVISORY #2006-01
>      contact(at)nstalker com - http://www.nstalker.com
>
> -[ Apache HTTP Server EXPECT Header Default Error Page Arbitrary HTML 
> Injection ]-
> 
> ============================================================================
>
> 1. SUMMARY
>
>  Apache Server suffers from HTML injection when processing a request with 
> malformed Expect Header.
>
>  Vulnerability Level: Medium
>  Affected Version(s): Apache HTTP Server 1.3.34/2.0.55/2.2.0
>  (other versions and vendors may be affected)
>
> 2. DETAILS
>
>  According to RFC 2616, Expect field is used to indicate that a particular 
> server behavior
>  is expected and required by the client. The idea is usually to submit the 
> request HEADER
>  data first for server analysis and receive a 100-continue (Status Code 
> 100) as an agreement
>  to continue sending the BODY data. Extracted from section 8.2.6:
>
>  "The purpose of the 100 (Continue) status (see section 10.1.1) is to 
> allow a client that
>   is sending a request message with a request body to determine if the 
> origin server is
>   willing to accept the request (based on the request headers) before the 
> client sends
>   the request body."
>
>  Should the server fail to process, a 417-Expectation Failed must be sent 
> to the client.
>
>  Apache HTTP Server is shipped with default error messages to provide 
> detailed information
>  about incorrect requests. Due to an error while processing an Expectation 
> Failed response,
>  the content of Expect Header (provided by the client) is arbitrarily 
> appended to the
>  Server's error message without further check.
>
>  Extracted from line 1286 of http_protocol.c (v1.3.34):
>
>      if (((expect = ap_table_get(r->headers_in, "Expect")) != NULL) &&
>        (expect[0] != '\0')) {
>
>    [...] (expect is rendered in the client's browser without further 
> filtering)
>
>        ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_INFO, r,
>                          "client sent an unrecognized expectation value of 
> "
>                          "Expect: %s", expect);
>            ap_send_error_response(r, 0);
>
> 3. IMPACT
>
>  The vulnerability may be exploited in distinct situations. A malicious 
> user should append
>  "Expect:" header field to the HTTP request. Under regular conditions, the 
> exploitation
>  should be considered harder than usual, specially because DOM 
> asynchronous request elements
>  (such as XmlHttpRequest) and ActiveX request objects are restricted to 
> issue requests
>  against window's own target.
>
>  When exploited, it may facilitate stealing of user's credential and 
> provide the ability
>  to inpersonate forged requests under victim's session credential.
>
> 4. PROOF OF CONCEPT
>
>  Vulnerability is fairly easy to be reproduced:
>
>  [CLIENT REQUEST]
>  GET / HTTP/1.0
>  Host: nstalker.com
>  Expect: <script>alert('nstalker');</script>
>
>  [/CLIENT REQUEST]
>
>  A 417-Expectation failed should be displayed and code will be rendered at 
> the user-side.
>
> 5. VENDOR STATUS
>
>  + April 10, 2006 - Vulnerability is disclosed to Apache Foundation
>
> 6. ABOUT N-STALKER
>
>  This advisory has been produced by Thiago Zaninotti and N-Stalker Web 
> Security Intelligence Labs
>  (aka Sekure SDI labs). Information provided here is for educational 
> purposes only.
>
>  The security flaw was found during evaluation tests of our next 
> generation Web Application
>  Security Scanner. If you want to find out more about it, please, contact 
> us at
>  beta(at)nstalker(dot)com.
>
>  Founded in 2000 and based in Sao Paulo, Brazil, N-Stalker is a leader in 
> Web Security Tools
>  and produces the well-known Free HTTP Security Scanner - N-Stealth. For 
> more information
>  about the company, contact us at http://www.nstalker.com.
>
> Kindest Regards,
>
> Thiago Zaninotti,Security+,CISSP-ISSAP,CISM
> CTO - N-Stalker/ZMT 






More information about the Owasp-brazil mailing list