Re: Apache Multiple Injection Vulnerabilities

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Apache Multiple Injection Vulnerabilities
From: security@xxxxxxxx
Date: 16 Feb 2007 16:41:53 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Vendor Response: Zeus Technology

Zeus have posted an assessment of this advisory, and how it affects users of 
Zeus Web Server at the following location:

http://support.zeus.com/zws/security/2007/02/15/location_http_header_injection_vulnerabi

A summary is as follows:

1. Zeus conforms that the "Error response arbitrary injection" method is not 
applicable to Zeus Web Server.

2. The "Location HTTP header injection" does affect Zeus Web Server, but only 
constitutes a vulnerability in a particular, uncommon use case for Zeus Web 
Server.

Assessment of the Location HTTP Header Injection vulnerability
-----------------------------------------------------------------

A web server should preserve a :port component in a URL when issuing a 
redirect.  This caters for the possibility that the public port is different to 
the actual internal port (for example, when running through a proxy on the same 
server).  

Webservers that preserve this information, such as Zeus Web Server, are 
behaving correctly in line with the HTTP specification 
(http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.23)

Zeus agree that preserving any path information in the host header is not 
correct behavior.  A more appropriate behaviour would be to return a 400 Bad 
Request response.

This problem should not affect ordinary web clients because no such clients 
will generate this erroneous host header value.

The author's assertion that a malicious attacker could use this behaviour to 
poison a web cache is incorrect in the vast majority of cases, because web 
caches ordinarily consider the host header when caching web responses.  The web 
cache could only be provoked into delivering the incorrect, cached response by 
sending a request with the fake host header.

A cache could be poisoned if it were deliberately configured to ignore the host 
header.  This would only be the case if the cache was acting as an acceleration 
device, fronting a single domain on one web server.

Zeus advise that if you are fronting Zeus Web Server with a reverse proxy cache 
that has been configured to ignore host headers, it may be possible to poison 
the cache and mount an effective Denial of Service attack.

Workaround

If you are concerned about this behaviour, you can configure Zeus Web Server to 
remove path and port components from host headers in a request. The following 
Request Rewriting rule can be applied to your virtual servers:

# Remove any trailing :port or /URL from Host header
match IN:Host into $ with ([^:/]*)
if matched then
  set IN:Host = $1
endif

Other Observations

Zeus Technology works closely with customers, evaluators, security 
professionals and other researchers to ensure its products are secure and free 
from defects. Any security-related comments received at security@xxxxxxxx, or 
through any other means, are treated as being of the utmost importance. Zeus 
respectfully requests that security issues are notified directly to Zeus before 
being publicly disclosed.

Prev by Date: Ezboo webstats acces to sensitive files
Next by Date: Re: SYMSA-2007-002: Palm OS Treo Find Feature System Password Bypass
Previous by thread: RE: Apache Multiple Injection Vulnerabilities
Next by thread: Re: Re: Apache Multiple Injection Vulnerabilities
Index(es):
- Date
- Thread