Re: Apache Multiple Injection Vulnerabilities

To: hugo@xxxxxxxxxxxxxxx
Subject: Re: Apache Multiple Injection Vulnerabilities
From: Amit Klein <aksecurity@xxxxxxxxx>
Date: Thu, 15 Feb 2007 20:39:19 +0200
Cc: bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <20070214052036.20529.qmail@xxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20070214052036.20529.qmail@xxxxxxxxxxxxxxxxx>
User-agent: Thunderbird 1.5.0.7 (Windows/20060909)

hugo@xxxxxxxxxxxxxxx wrote:

There's a new advisory at:
http://www.infohacking.com/INFOHACKING_RESEARCH/Our_Advisories/apache/index.html

Summarizing:

[...]

b) Control codes injection -backspaces, etc.- thus allowing script injection in 
the server response. Right now it seems that this vulnerability is not
affecting real browsers, just because of the "backspace" escaping in the 
clients, or due to other things. Anyway, the problem is that echoing back control codes 
is a violation of the Content-Type charset in the response and is IMHO a security risk.

Just a quick note: what you demonstrated is that "control characters"are returned in a response whose charset is "iso-8859-1". But your textlater states that "ISO 8859-1 encodes ...". Notice the difference:"iso-8859-1" vs. "iso 8859-1" - hyphen vs. space. These are differentcharacter sets - iso-8859-1 is a superset of iso 8859-1, adding allthose control characters and whatnot. From RFC-1345:


&charset ISO_8859-1:1987
 &rem source: ECMA registry
 &alias iso-ir-100
 &g1esc x2d41 &g2esc x2e41 &g3esc x2f41
 &alias ISO_8859-1
 &alias ISO-8859-1
 &alias latin1
 &alias l1
 &alias IBM819
 &alias CP819
 &code 0
 NU SH SX EX ET EQ AK BL BS HT LF VT FF CR SO SI
 DL D1 D2 D3 D4 NK SY EB CN EM SB EC FS GS RS US
 SP ! " Nb DO % & ' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ?
 At A B C D E F G H I J K L M N O P Q R S T U V W X Y Z <( // )> '> _
 '! a b c d e f g h i j k l m n o p q r s t u v w x y z (! !! !) '? DT
 PA HO BH NH IN NL SA ES HS HJ VS PD PU RI S2 S3
 DC P1 P2 TS CC MW SG EG SS GC SC CI ST OC PM AC
 NS !I Ct Pd Cu Ye BB SE ': Co -a << NO -- Rg '-
 DG +- 2S 3S '' My PI .M ', 1S -o >> 14 12 34 ?I
 A! A' A> A? A: AA AE C, E! E' E> E: I! I' I> I:
 D- N? O! O' O> O? O: *X O/ U! U' U> U: Y' TH ss
 a! a' a> a? a: aa ae c, e! e' e> e: i! i' i> i:
 d- n? o! o' o> o? o: -: o/ u! u' u> u: y' th y:

So those control characters are not in violation of the stated charset.

Thanks,
-Amit

Follow-Ups:
- Re: Apache Multiple Injection Vulnerabilities
  - From: Hugo Vázquez Caramés

References:
- Apache Multiple Injection Vulnerabilities
  - From: hugo

Prev by Date: Re: Re[2]: Solaris telnet vulnberability - how many on your network?
Next by Date: Re: Solaris telnet vulnberability - how many on your network?
Previous by thread: Apache Multiple Injection Vulnerabilities
Next by thread: Re: Apache Multiple Injection Vulnerabilities
Index(es):
- Date
- Thread