<<< Date Index >>>     <<< Thread Index >>>

Re: Re: Apache Multiple Injection Vulnerabilities



Dear Sirs, 

I'll try to comment some of your statements about that issue.

"1. Zeus conforms that the "Error response arbitrary injection" method is not 
applicable to Zeus Web Server."
Right. I haven't tell this at any time.

"2. The "Location HTTP header injection" does affect Zeus Web Server, but only 
constitutes a vulnerability in a particular, uncommon use case for Zeus Web 
Server."
Ok, so we agree it's a vulnerability.

"Zeus agree that preserving any path information in the host header is not 
correct behavior. A more appropriate behaviour would be to return a 400 Bad 
Request response."
I really agree on this.

"This problem should not affect ordinary web clients because no such clients 
will generate this erroneous host header value."
I'm really atonished that nowadays some high skilled people still can think 
this... There are  many ways to "generate this erroneus host header" in client 
side, the first it comes to my mind is using advanced client side scripting 
-XMLhttp... calls, etc.-

"The author's assertion that a malicious attacker could use this behaviour to 
poison a web cache is incorrect in the vast majority of cases"
You have told it right: "Could be used". Many, many, many vulnerabilities, like 
memory corruption problems, end up in something like "could be used to run 
arbitrary code, etc." Could be used.... It depends on the specific scenario. Do 
we agree on this?

"A cache could be poisoned if it were deliberately configured to ignore the 
host header. "
Be careful with this statement... I think it would be more conservative to say: 
A cache could be poisoned if it is configured or if it's default behaviour or 
if in a specific scenario ignores the host header"

"This would only be the case if the cache was acting as an acceleration device, 
fronting a single domain on one web server."
The only case...Ummm, I'm not -by far- so clever nor so sure about this like 
you...

"If you are concerned about this behaviour, you can configure Zeus Web Server 
to remove path and port components from host headers in a request."
Why doing this? No reason for this... You are following RFC's, isnt'it? :-)

"Zeus respectfully requests that security issues are notified directly to Zeus 
before being publicly disclosed."
Yes, I know, and for that reason I contacted you on  "25-07-06 18:29". To be 
more specific I sent the email to: 
"support zeus com" and to "colinw zeus com".
Please review your SMTP logs.
Regarding that issue, maybe after not receiving a response I should have tryed 
to contact again... maybe for two or three times before made it public. Maybe I 
should have also contacted Microsoft, Google, or the half dozen vendors 
affected by this. Maybe I should stop working a whole week...
Or maybe, you, vendors, that spent millions of dollars and have a lot of human 
resources and power, could talk each other, have a beer and decide about a 
building a standarized reliable protocol for contacting you about this kind of 
issues...
Until that day, I will try to contact vendors depending on issues like: past 
feedback from that vendor, available time to spent on that issue, etc.

Having tell all this I could not end without expressing that I sincerely think 
Zeus Web Server is an impressive fast, reliable and secure web server, really 
nice and very user friendly.

As usually, a software project is by far mutch better than some people behind 
it.