<<< Date Index >>>     <<< Thread Index >>>

Re: PR07-37: XSS on Apache HTTP Server 413 error pages via malformed HTTP method



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

If the string with angle brackets ('<PROCHECKUP>') is NOT returned
anymore after making the Apache config changes, then the script
shouldn't print 'VULNERABLE'.

Did you reload the Apache configuration? i.e.:

sudo /etc/init.d/apache2 reload

You might want to do a manual test in order to find out why the script
still reports the host is vulnerable:

echo -en "<PROCHECKUP> / HTTP/1.1\nHost: localhost\nConnection:
close\nContent-length: 0\nContent-length: 0\n\n" | nc -w 4 localhost 80

mcalautt@xxxxxxxxx wrote:
| what happens when you add a customer 413 page
| and the test script still says its vul ?
|
| is the script not working ?
|
|  ../bin/httpd -V
| Server version: Apache/2.0.54
| Server built:   Jul 25 2007 17:21:43
| Server compiled with....
|  -D APACHE_MPM_DIR="server/mpm/worker"
|  -D APR_HAS_SENDFILE
|  -D APR_HAS_MMAP
|  -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
|  -D APR_USE_SYSVSEM_SERIALIZE
|  -D APR_USE_PTHREAD_SERIALIZE
|  -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
|  -D APR_HAS_OTHER_CHILD
|  -D AP_HAVE_RELIABLE_PIPED_LOGS
|  -D HTTPD_ROOT="/usr/local/apache2"
|  -D SUEXEC_BIN="/usr/local/apache2/bin/suexec"
|  -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
|  -D DEFAULT_ERRORLOG="logs/error_log"
|  -D AP_TYPES_CONFIG_FILE="conf/mime.types"
|  -D SERVER_CONFIG_FILE="conf/httpd.conf"
|
| grep 413 httpd.conf
|      ErrorDocument 413 /error/413.html
|
|
| ./scan-413.sh localhost
| localhost is VULNERABLE!
|

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIe0LvoR/Hvsj3i8sRAsXeAJ46YzATvwE4s7b9x4uCvSVbKtGOXwCff5YF
b2QruMwnZ52vekxyeouCmEs=
=nJtl
-----END PGP SIGNATURE-----