Apache (mod_status) Refresh Header - Open Redirector (XSS)

2008.01.15
Credit: sp3x
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [SecurityReason - Apache (mod_status) Refresh Header - Open Redirector (XSS)] Author: sp3x Date: - - Written: 15.12.2007 - - Public: 15.01.2008 SecurityReason Research SecurityAlert Id: 50 CVE: CVE-2007-6388 SecurityRisk: Low Affected Software: Apache 2.2.x (mod_status) Apache 1.3.x Apache 2.0.x Advisory URL: http://securityreason.com/achievement_securityalert/50 Vendor: http://httpd.apache.org - --- 0.Description --- The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows NT. The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards. Apache has been the most popular web server on the Internet since April 1996. The November 2005 Netcraft Web Server Survey found that more than 70% of the web sites on the Internet are using Apache, thus making it more widely used than all other web servers combined. mod_status : http://httpd.apache.org/docs/2.0/mod/mod_status.html - From apache site : "The Status module allows a server administrator to find out how well their server is performing. A HTML page is presented that gives the current server statistics in an easily readable form. If required this page can be made to automatically refresh (given a compatible browser). Another page gives a simple machine-readable list of the current server state." - --- 1. Apache Refresh Header - Open Redirector (XSS) Vulnerability --- During the fact that Apache mod_status do not filter char ";" we can inject new URL. This fact give attacker open redirector and can lead to phishing attack. Also attacker can create more advanced method to trigger XSS on victim's browser. - --- 2. Exploit --- SecurityReason is not going to release a exploit to the general public. Exploit was provided and tested for Apache Team . - --- 3. How to fix --- Update to Apache 2.2.7-dev Apache 1.3.40-dev Apache 2.0.62-dev http://httpd.apache.org/security/vulnerabilities_22.html http://httpd.apache.org/security/vulnerabilities_20.html http://httpd.apache.org/security/vulnerabilities_13.html - --- 4. References --- A Refreshing Look at Redirection : http://www.securityfocus.com/archive/1/450418 by Amit Klein - --- 5. Greets --- For: Maksymilian Arciemowicz ( cXIb8O3 ), Infospec, pi3, p_e_a, mpp - --- 6. Contact --- Author: sp3x Email: sp3x [at] securityreason [dot] com GPG: http://securityreason.com/key/sp3x.gpg http://securityreason.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.7 (GNU/Linux) iD8DBQFHjGt7haZ93YsJSwQRAqD6AKDLNgb5jrXfwA/XvJsgabTyvAd+XACgw7WJ nufKkakHNgwwqaLjZR464Fk= =T+VM -----END PGP SIGNATURE-----


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top