Re: Apache Multiple Injection Vulnerabilities
hugo@xxxxxxxxxxxxxxx wrote:
There's a new advisory at:
http://www.infohacking.com/INFOHACKING_RESEARCH/Our_Advisories/apache/index.html
Summarizing:
[...]
b) Control codes injection -backspaces, etc.- thus allowing script injection in
the server response. Right now it seems that this vulnerability is not
affecting real browsers, just because of the "backspace" escaping in the
clients, or due to other things. Anyway, the problem is that echoing back control codes
is a violation of the Content-Type charset in the response and is IMHO a security risk.
Just a quick note: what you demonstrated is that "control characters"
are returned in a response whose charset is "iso-8859-1". But your text
later states that "ISO 8859-1 encodes ...". Notice the difference:
"iso-8859-1" vs. "iso 8859-1" - hyphen vs. space. These are different
character sets - iso-8859-1 is a superset of iso 8859-1, adding all
those control characters and whatnot. From RFC-1345:
&charset ISO_8859-1:1987
&rem source: ECMA registry
&alias iso-ir-100
&g1esc x2d41 &g2esc x2e41 &g3esc x2f41
&alias ISO_8859-1
&alias ISO-8859-1
&alias latin1
&alias l1
&alias IBM819
&alias CP819
&code 0
NU SH SX EX ET EQ AK BL BS HT LF VT FF CR SO SI
DL D1 D2 D3 D4 NK SY EB CN EM SB EC FS GS RS US
SP ! " Nb DO % & ' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ?
At A B C D E F G H I J K L M N O P Q R S T U V W X Y Z <( // )> '> _
'! a b c d e f g h i j k l m n o p q r s t u v w x y z (! !! !) '? DT
PA HO BH NH IN NL SA ES HS HJ VS PD PU RI S2 S3
DC P1 P2 TS CC MW SG EG SS GC SC CI ST OC PM AC
NS !I Ct Pd Cu Ye BB SE ': Co -a << NO -- Rg '-
DG +- 2S 3S '' My PI .M ', 1S -o >> 14 12 34 ?I
A! A' A> A? A: AA AE C, E! E' E> E: I! I' I> I:
D- N? O! O' O> O? O: *X O/ U! U' U> U: Y' TH ss
a! a' a> a? a: aa ae c, e! e' e> e: i! i' i> i:
d- n? o! o' o> o? o: -: o/ u! u' u> u: y' th y:
So those control characters are not in violation of the stated charset.
Thanks,
-Amit