|
Rapid7 Advisory R7-0033
Apache HTTP Server mod_proxy_ftp Wildcard Characters Cross-Site Scripting
Discovered: July 25, 2008
Published: August 5, 2008
Revision: 1.1
http://www.rapid7.com/advisories/R7-0033
CVE: CVE-2008-2939
1. Affected system(s):
KNOWN VULNERABLE:
o Apache HTTP Server 2.2.9 (and earlier 2.2.x versions)
o Apache HTTP Server 2.0.63 (and earlier 2.0.x versions)
NOT VULNERABLE:
o Apache HTTP Server 1.3.x (because mod_proxy_ftp doesn't support
wildcard
characters)
2. Summary
The mod_proxy_ftp module of the Apache HTTP Server is vulnerable to a
cross-site scripting vulnerability when handling requests with wildcard
characters (aka globbing characters).
3. Vendor status and information
Apache HTTP Server Project
http://httpd.apache.org
The developers were notified of this vulnerability on July 28, 2008 via
the private security mailing list security@apache.org. They
acknowledged it within 12 hours. On July 29, they assigned it a CVE ID.
On August 5, the vulnerability was fixed in all SVN branches:
o Commit to main trunk:
http://svn.apache.org/viewvc?view=rev&revision=682868
o Commit to 2.2 branch:
http://svn.apache.org/viewvc?view=rev&revision=682870
o Commit to 2.0 branch:
http://svn.apache.org/viewvc?view=rev&revision=682871
4. Solution
Upgrade to Apache HTTP Server 2.2.10 or 2.0.64 (as of August 6, these
have not been released yet), or apply the patch from SVN commit
r682868.
5. Detailed analysis
When Apache HTTP Server is configured with proxy support
("ProxyRequests On" in the configuration file), and when mod_proxy_ftp
is enabled to support FTP-over-HTTP, requests containing wildcard
characters (asterisk, tilde, opening square bracket, etc) such as:
GET ftp://host/*
Directory of ftp://host/*
href="/">ftp://host/*