COMMAND

	Apache cross site scripting via SSI error page

SYSTEMS AFFECTED

	Apache 2.0 prior to 2.0.43

PROBLEM

	Matt Murphy [mattmurphy@kc.rr.com] found :
	

	A vulnerability exists in  the  SSI  error  pages  of  Apache  2.0  that
	involves   incorrect   filtering   of   server   signature   data.   The
	vulnerability could enable an attacker to hijack web sessions,  allowing
	a range of potential compromises on the targeted host.
	

	This particular attack involves a lack of filtering on  HTTP/1.1  "Host"
	headers, sent by most recent browsers. The vulnerability occurs  because
	Apache doesn't filter  maliciously  malformed  headers  containing  HTML
	markup before passing them onto the browser as entity data.
	

	The following URL will demonstrate the attack:
	

	http://%3CIMG%20SRC%3D%22%22%20ONERROR%3D%22alert%28document%2Ecookie%29%22%3E.apachesite.org/raise_404

	

	Some browsers  submit  the  malicious  host  header  when  parsing  this
	request:
	

	Host: <img src="" onerror="alert(document.cookie)">

	

	Apache returns this malicious host in the form of a server signature:
	

	<ADDRESS>Apache/2.0.39 Server at <IMG SRC="" ONERROR="alert(document.cookie)">.apachesite.org</ADDRESS>

	

	

	 ...

SOLUTION

	The Apache Software Foundation has released Apache 2.0.43  to  eliminate
	this       vulnerability.       It       is        available        from
	http://www.apache.org/dist/httpd/