[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Apache Illegal Request Handling Possible XSS Vulnerability
- To: "Richard Moore" <rich@xxxxxxxxxxxxxxxx>, full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: Re: [Full-disclosure] Apache Illegal Request Handling Possible XSS Vulnerability
- From: "Michal Majchrowicz" <m.majchrowicz@xxxxxxxxx>
- Date: Tue, 24 Apr 2007 11:29:53 +0200
Okay so let's assume that there cany "anything" as the request. But
there has to be something that handles this request? If there is no
"handler" for request "<script>" Apache should return error page. And
what about protocol version? You didn't answer this question.
Regards Michal.
On 4/24/07, Richard Moore <rich@xxxxxxxxxxxxxxxx> wrote:
> Michal Majchrowicz wrote:
> > Hi.
> > I think that server should have a list of valid requests. In fact
> > Apache warns you sometimes that valid requests are:
> > "GET/POST/TRACE/OPTIONS". The solution that it just accepts everything
> > as request and protocol makes no sense. What kind of protocol is
>
> It makes lots of sense as I said - protocols like WebDAV are
> layered on top of HTTP and are implemented in apache using the
> exact same API as PHP uses. They need to add methods like PROPFIND
> etc. Unless they are required to define the exact set of verbs
> supported by every page then there's no way to define a fixed
> list.
>
> I do however agree that it could be restricted to something like
> [A-Z0-9]+ as I said.
>
> Cheers
>
> Rich.
>
> > "<script>"?
> > Regards Michal.
> >
> > On 4/24/07, Richard Moore <rich@xxxxxxxxxxxxxxxx> wrote:
> >> Michal Majchrowicz wrote:
> >> > Hi.
> >> > I think now we can classify this as flaw in Apache. It accepts
> >> > requests that simply make no sense. Take a look at this example:
> >> > <script>alert(document.cookie);</script> /test.php
> >> > <script>alert(document.cookie);</script>
> >> > In some circumstances it may cause XSS vulnerability:
> >> > <?php
> >> > echo $_SERVER['REQUEST_METHOD'];
> >> > echo $_SERVER['SERVER_PROTOCOL'];
> >> > ?>
> >>
> >> As Kradorex Xeron said, that's a flaw in the script. Apache needs
> >> to let arbitrary verbs through to the PHP (or other server extension)
> >> otherwise tools like webdav that require additional verbs could not
> >> be implemented. It is possibly arguable that it should restrict the
> >> verbs to a single alphanumeric string, but it certainly can't be
> >> counted on to be just GET/POST etc.
> >>
> >> Cheers
> >>
> >> Rich.
> >>
> >> > I am now investigating other possible attacks.
> >> > Regards Michal Majchrowicz.
> >> >
> >> > _______________________________________________
> >> > Full-Disclosure - We believe in it.
> >> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >> > Hosted and sponsored by Secunia - http://secunia.com/
> >> >
> >> >
> >>
> >>
> >> --
> >> Richard Moore, Principal Software Engineer,
> >> Westpoint Ltd,
> >> Albion Wharf, 19 Albion Street, Manchester, M1 5LN, England
> >> Tel: +44 161 237 1028
> >> Fax: +44 161 237 1031
> >>
> >
> >
>
>
> --
> Richard Moore, Principal Software Engineer,
> Westpoint Ltd,
> Albion Wharf, 19 Albion Street, Manchester, M1 5LN, England
> Tel: +44 161 237 1028
> Fax: +44 161 237 1031
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/