|
-----BEGIN PGP SIGNED MESSAGE-----=0D
Hash: SHA1=0D
=0D
[SecurityReason - Apache (mod_proxy_ftp) Undefined Charset UTF-7 XSS Vulnerability]=0D
=0D
Author: sp3x=0D
=0D
Date:=0D
- - Written: 15.12.2007=0D
- - Public: 10.01.2008=0D
=0D
SecurityReason Research=0D
SecurityAlert Id: 49=0D
=0D
CVE: CVE-2008-0005=0D
SecurityRisk: Low=0D
=0D
Affected Software: Apache 2.2.x (mod_proxy_ftp)=0D
Apache 1.3.x=0D
Apache 2.0.x=0D
=0D
Advisory URL: http://securityreason.com/achievement_securityalert/49=0D
Vendor: http://httpd.apache.org=0D
=0D
- --- 0.Description ---=0D
=0D
The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows NT. The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards.=0D
=0D
Apache has been the most popular web server on the Internet since April 1996. The November 2005 Netcraft Web Server Survey found that more than 70% of the web sites on the Internet are using Apache, thus making it more widely used than all other web servers combined.=0D
=0D
mod_proxy_ftp : http://httpd.apache.org/docs/2.2/mod/mod_proxy_ftp.html=0D
=0D
- From apache site : "It provides support for the proxying FTP sites. Note that FTP support is currently limited to the GET method."=0D
=0D
- --- 1. Apache Undefined Charset UTF-7 XSS Vulnerability ---=0D
=0D
The XSS(UTF7) exist in mod_proxy_ftp.c . Charset is not defined=0D
and we can provide XSS attack using ";" char in URL by setting Charset to UTF-7.=0D
=0D
- --- 2. Exploit ---=0D
=0D
SecurityReason is not going to release a exploit to the general public.=0D
Exploit was provided and tested for Apache Team .=0D
=0D
- --- 3. How to fix ---=0D
=0D
Update to Apache 2.2.7-dev=0D
Apache 1.3.40-dev=0D
Apache 2.0.62-dev=0D
=0D
- --- 4. References ---=0D
=0D
Apache2 Undefined Charset UTF-7 XSS Vulnerability : http://securityreason.com/achievement_securityalert/46 by Maksymilian Arciemowicz=0D
=0D
- --- 5. Greets ---=0D
=0D
For: Maksymilian Arciemowicz ( cXIb8O3 ), Infospec, pi3, p_e_a, mpp=0D
=0D
- --- 6. Contact ---=0D
=0D
Author: sp3x=0D
Email: sp3x [at] securityreason [dot] com=0D
GPG: http://securityreason.com/key/sp3x.gpg=0D
http://securityreason.com=0D
http://securityreason.pl=0D
-----BEGIN PGP SIGNATURE-----=0D
Version: GnuPG v1.2.7 (GNU/Linux)=0D
=0D
iD8DBQFHhUp2haZ93YsJSwQRAgYPAJ9CYYZv1MthEQpfqg97ReFQ56RHVQCfdoKs=0D
0uz3Q3HNdQfgbuc8uRh3Ol8==0D
=dn1x=0D
-----END PGP SIGNATURE-----=0D