TUCoPS :: Web :: Apache :: web5727.htm

Apache cross site scripting via SSI error page
3rd Oct 2002 [SBWID-5727]

	Apache cross site scripting via SSI error page


	Apache 2.0 prior to 2.0.43


	Matt Murphy [mattmurphy@kc.rr.com] found :

	A vulnerability exists in  the  SSI  error  pages  of  Apache  2.0  that
	involves   incorrect   filtering   of   server   signature   data.   The
	vulnerability could enable an attacker to hijack web sessions,  allowing
	a range of potential compromises on the targeted host.

	This particular attack involves a lack of filtering on  HTTP/1.1  "Host"
	headers, sent by most recent browsers. The vulnerability occurs  because
	Apache doesn't filter  maliciously  malformed  headers  containing  HTML
	markup before passing them onto the browser as entity data.

	The following URL will demonstrate the attack:



	Some browsers  submit  the  malicious  host  header  when  parsing  this

	Host: <img src="" onerror="alert(document.cookie)">


	Apache returns this malicious host in the form of a server signature:

	<ADDRESS>Apache/2.0.39 Server at <IMG SRC="" ONERROR="alert(document.cookie)">.apachesite.org</ADDRESS>





	The Apache Software Foundation has released Apache 2.0.43  to  eliminate
	this       vulnerability.       It       is        available        from

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH