Re: PR07-37: XSS on Apache HTTP Server 413 error pages via malformed HTTP method
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
If the string with angle brackets ('<PROCHECKUP>') is NOT returned
anymore after making the Apache config changes, then the script
shouldn't print 'VULNERABLE'.
Did you reload the Apache configuration? i.e.:
sudo /etc/init.d/apache2 reload
You might want to do a manual test in order to find out why the script
still reports the host is vulnerable:
echo -en "<PROCHECKUP> / HTTP/1.1\nHost: localhost\nConnection:
close\nContent-length: 0\nContent-length: 0\n\n" | nc -w 4 localhost 80
mcalautt@xxxxxxxxx wrote:
| what happens when you add a customer 413 page
| and the test script still says its vul ?
|
| is the script not working ?
|
| ../bin/httpd -V
| Server version: Apache/2.0.54
| Server built: Jul 25 2007 17:21:43
| Server compiled with....
| -D APACHE_MPM_DIR="server/mpm/worker"
| -D APR_HAS_SENDFILE
| -D APR_HAS_MMAP
| -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
| -D APR_USE_SYSVSEM_SERIALIZE
| -D APR_USE_PTHREAD_SERIALIZE
| -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
| -D APR_HAS_OTHER_CHILD
| -D AP_HAVE_RELIABLE_PIPED_LOGS
| -D HTTPD_ROOT="/usr/local/apache2"
| -D SUEXEC_BIN="/usr/local/apache2/bin/suexec"
| -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
| -D DEFAULT_ERRORLOG="logs/error_log"
| -D AP_TYPES_CONFIG_FILE="conf/mime.types"
| -D SERVER_CONFIG_FILE="conf/httpd.conf"
|
| grep 413 httpd.conf
| ErrorDocument 413 /error/413.html
|
|
| ./scan-413.sh localhost
| localhost is VULNERABLE!
|
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFIe0LvoR/Hvsj3i8sRAsXeAJ46YzATvwE4s7b9x4uCvSVbKtGOXwCff5YF
b2QruMwnZ52vekxyeouCmEs=
=nJtl
-----END PGP SIGNATURE-----