Re: Apache Multiple Injection Vulnerabilities
Vendor Response: Zeus Technology
Zeus have posted an assessment of this advisory, and how it affects users of
Zeus Web Server at the following location:
http://support.zeus.com/zws/security/2007/02/15/location_http_header_injection_vulnerabi
A summary is as follows:
1. Zeus conforms that the "Error response arbitrary injection" method is not
applicable to Zeus Web Server.
2. The "Location HTTP header injection" does affect Zeus Web Server, but only
constitutes a vulnerability in a particular, uncommon use case for Zeus Web
Server.
Assessment of the Location HTTP Header Injection vulnerability
-----------------------------------------------------------------
A web server should preserve a :port component in a URL when issuing a
redirect. This caters for the possibility that the public port is different to
the actual internal port (for example, when running through a proxy on the same
server).
Webservers that preserve this information, such as Zeus Web Server, are
behaving correctly in line with the HTTP specification
(http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.23)
Zeus agree that preserving any path information in the host header is not
correct behavior. A more appropriate behaviour would be to return a 400 Bad
Request response.
This problem should not affect ordinary web clients because no such clients
will generate this erroneous host header value.
The author's assertion that a malicious attacker could use this behaviour to
poison a web cache is incorrect in the vast majority of cases, because web
caches ordinarily consider the host header when caching web responses. The web
cache could only be provoked into delivering the incorrect, cached response by
sending a request with the fake host header.
A cache could be poisoned if it were deliberately configured to ignore the host
header. This would only be the case if the cache was acting as an acceleration
device, fronting a single domain on one web server.
Zeus advise that if you are fronting Zeus Web Server with a reverse proxy cache
that has been configured to ignore host headers, it may be possible to poison
the cache and mount an effective Denial of Service attack.
Workaround
If you are concerned about this behaviour, you can configure Zeus Web Server to
remove path and port components from host headers in a request. The following
Request Rewriting rule can be applied to your virtual servers:
# Remove any trailing :port or /URL from Host header
match IN:Host into $ with ([^:/]*)
if matched then
set IN:Host = $1
endif
Other Observations
Zeus Technology works closely with customers, evaluators, security
professionals and other researchers to ensure its products are secure and free
from defects. Any security-related comments received at security@xxxxxxxx, or
through any other means, are treated as being of the utmost importance. Zeus
respectfully requests that security issues are notified directly to Zeus before
being publicly disclosed.