Re: Re: Apache Multiple Injection Vulnerabilities
Dear Sirs,
I'll try to comment some of your statements about that issue.
"1. Zeus conforms that the "Error response arbitrary injection" method is not
applicable to Zeus Web Server."
Right. I haven't tell this at any time.
"2. The "Location HTTP header injection" does affect Zeus Web Server, but only
constitutes a vulnerability in a particular, uncommon use case for Zeus Web
Server."
Ok, so we agree it's a vulnerability.
"Zeus agree that preserving any path information in the host header is not
correct behavior. A more appropriate behaviour would be to return a 400 Bad
Request response."
I really agree on this.
"This problem should not affect ordinary web clients because no such clients
will generate this erroneous host header value."
I'm really atonished that nowadays some high skilled people still can think
this... There are many ways to "generate this erroneus host header" in client
side, the first it comes to my mind is using advanced client side scripting
-XMLhttp... calls, etc.-
"The author's assertion that a malicious attacker could use this behaviour to
poison a web cache is incorrect in the vast majority of cases"
You have told it right: "Could be used". Many, many, many vulnerabilities, like
memory corruption problems, end up in something like "could be used to run
arbitrary code, etc." Could be used.... It depends on the specific scenario. Do
we agree on this?
"A cache could be poisoned if it were deliberately configured to ignore the
host header. "
Be careful with this statement... I think it would be more conservative to say:
A cache could be poisoned if it is configured or if it's default behaviour or
if in a specific scenario ignores the host header"
"This would only be the case if the cache was acting as an acceleration device,
fronting a single domain on one web server."
The only case...Ummm, I'm not -by far- so clever nor so sure about this like
you...
"If you are concerned about this behaviour, you can configure Zeus Web Server
to remove path and port components from host headers in a request."
Why doing this? No reason for this... You are following RFC's, isnt'it? :-)
"Zeus respectfully requests that security issues are notified directly to Zeus
before being publicly disclosed."
Yes, I know, and for that reason I contacted you on "25-07-06 18:29". To be
more specific I sent the email to:
"support zeus com" and to "colinw zeus com".
Please review your SMTP logs.
Regarding that issue, maybe after not receiving a response I should have tryed
to contact again... maybe for two or three times before made it public. Maybe I
should have also contacted Microsoft, Google, or the half dozen vendors
affected by this. Maybe I should stop working a whole week...
Or maybe, you, vendors, that spent millions of dollars and have a lot of human
resources and power, could talk each other, have a beer and decide about a
building a standarized reliable protocol for contacting you about this kind of
issues...
Until that day, I will try to contact vendors depending on issues like: past
feedback from that vendor, available time to spent on that issue, etc.
Having tell all this I could not end without expressing that I sincerely think
Zeus Web Server is an impressive fast, reliable and secure web server, really
nice and very user friendly.
As usually, a software project is by far mutch better than some people behind
it.