[Owasp-brazil] Fw: Apache HTTP Server EXPECT Header Default Error Page Arbitrary HTML Injection

Augusto Paes de Barros augusto at paesdebarros.com.br
Thu Apr 20 16:30:18 EDT 2006


Esse header não pode ser setado com Javascript?

[]s

Augusto.

On 4/20/06, Zaninotti, Thiago <thiago at zaninotti.net> wrote:
> Pessoal,
>
> Durante minhas pesquisas com a nova ferramenta de scanner de aplicações Web
> desenvolvidas pela minha empresa (N-Stalker), cheguei a um problema que
> afeta todos os códigos atuais do Apache (incluindo 1.3/2.0/2.2). Entrei em
> contato com a lista de segurança do Apache e debatemos bem "calorosamente" a
> questão e ficou decidido que o bug não seria classificado como problema de
> Segurança.
>
> O fato é que o problema pode ser explorado em situações específicas e
> gostaria de colocar em primeira mão para o capítulo OWASP-BR para
> discutirmos um pouco.
>
> A resposta do apache terminou da seguinte forma:
> http://svn.apache.org/viewcvs?rev=394965&view=rev
>
>
> Abraços,
> Thiago Zaninotti
>
>
> ----- Original Message -----
> From: "Zaninotti, Thiago" <thiago at nstalker.com>
> To: <security at apache.org>
> Sent: Monday, April 10, 2006 5:27 PM
> Subject: Apache HTTP Server EXPECT Header Default Error Page Arbitrary HTML
> Injection
>
>
> > Dear Apache Security Staff,
> >
> > First of all, I would like to congratulate the efforts of Apache
> > Foundation to keep the product on such a stable and secure condition.
> >
> > We have found a low/medium vulnerability in the Apache HTTP Server, more
> > specifically in the default Error pages. The condition may be triggered
> > when a malformed Expect header field is appended to the user's request.
> > The Error Page is the 417 Expectation Failed (http_protocol.c line 1286).
> >
> > Before submitting it for public disclosure, it is reasonable to provide
> > advanced details to Apache Foundation in order to fix the problem.
> >
> > Please, let us know what would be the best date to release the advisory
> > and if you would like to make any statement/adjustments with the
> > information below.
> >
> > Once again, thanks for your attention and the excellent work given to the
> > community.
> >
> > Kindest Regards,
> > Thiago Zaninotti
> >
> > ================== ADVISORY FOLLOWS BELOW
> > ==================================
> >
> >
> >     N-STALKER WEB SECURITY INTELLIGENCE ADVISORY #2006-01
> >      contact(at)nstalker com - http://www.nstalker.com
> >
> > -[ Apache HTTP Server EXPECT Header Default Error Page Arbitrary HTML
> > Injection ]-
> >
> > ============================================================================
> >
> > 1. SUMMARY
> >
> >  Apache Server suffers from HTML injection when processing a request with
> > malformed Expect Header.
> >
> >  Vulnerability Level: Medium
> >  Affected Version(s): Apache HTTP Server 1.3.34/2.0.55/2.2.0
> >  (other versions and vendors may be affected)
> >
> > 2. DETAILS
> >
> >  According to RFC 2616, Expect field is used to indicate that a particular
> > server behavior
> >  is expected and required by the client. The idea is usually to submit the
> > request HEADER
> >  data first for server analysis and receive a 100-continue (Status Code
> > 100) as an agreement
> >  to continue sending the BODY data. Extracted from section 8.2.6:
> >
> >  "The purpose of the 100 (Continue) status (see section 10.1.1) is to
> > allow a client that
> >   is sending a request message with a request body to determine if the
> > origin server is
> >   willing to accept the request (based on the request headers) before the
> > client sends
> >   the request body."
> >
> >  Should the server fail to process, a 417-Expectation Failed must be sent
> > to the client.
> >
> >  Apache HTTP Server is shipped with default error messages to provide
> > detailed information
> >  about incorrect requests. Due to an error while processing an Expectation
> > Failed response,
> >  the content of Expect Header (provided by the client) is arbitrarily
> > appended to the
> >  Server's error message without further check.
> >
> >  Extracted from line 1286 of http_protocol.c (v1.3.34):
> >
> >      if (((expect = ap_table_get(r->headers_in, "Expect")) != NULL) &&
> >        (expect[0] != '\0')) {
> >
> >    [...] (expect is rendered in the client's browser without further
> > filtering)
> >
> >        ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_INFO, r,
> >                          "client sent an unrecognized expectation value of
> > "
> >                          "Expect: %s", expect);
> >            ap_send_error_response(r, 0);
> >
> > 3. IMPACT
> >
> >  The vulnerability may be exploited in distinct situations. A malicious
> > user should append
> >  "Expect:" header field to the HTTP request. Under regular conditions, the
> > exploitation
> >  should be considered harder than usual, specially because DOM
> > asynchronous request elements
> >  (such as XmlHttpRequest) and ActiveX request objects are restricted to
> > issue requests
> >  against window's own target.
> >
> >  When exploited, it may facilitate stealing of user's credential and
> > provide the ability
> >  to inpersonate forged requests under victim's session credential.
> >
> > 4. PROOF OF CONCEPT
> >
> >  Vulnerability is fairly easy to be reproduced:
> >
> >  [CLIENT REQUEST]
> >  GET / HTTP/1.0
> >  Host: nstalker.com
> >  Expect: <script>alert('nstalker');</script>
> >
> >  [/CLIENT REQUEST]
> >
> >  A 417-Expectation failed should be displayed and code will be rendered at
> > the user-side.
> >
> > 5. VENDOR STATUS
> >
> >  + April 10, 2006 - Vulnerability is disclosed to Apache Foundation
> >
> > 6. ABOUT N-STALKER
> >
> >  This advisory has been produced by Thiago Zaninotti and N-Stalker Web
> > Security Intelligence Labs
> >  (aka Sekure SDI labs). Information provided here is for educational
> > purposes only.
> >
> >  The security flaw was found during evaluation tests of our next
> > generation Web Application
> >  Security Scanner. If you want to find out more about it, please, contact
> > us at
> >  beta(at)nstalker(dot)com.
> >
> >  Founded in 2000 and based in Sao Paulo, Brazil, N-Stalker is a leader in
> > Web Security Tools
> >  and produces the well-known Free HTTP Security Scanner - N-Stealth. For
> > more information
> >  about the company, contact us at http://www.nstalker.com.
> >
> > Kindest Regards,
> >
> > Thiago Zaninotti,Security+,CISSP-ISSAP,CISM
> > CTO - N-Stalker/ZMT
>
>
>
>
> -------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmdlnk&kid0709&bid&3057&dat1642
> _______________________________________________
> Owasp-brazil mailing list
> Owasp-brazil at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-brazil
>


--
Augusto Paes de Barros, CISSP-ISSAP(r)
http://www.paesdebarros.com.br/indexpb.html




More information about the Owasp-brazil mailing list