httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 46837] New: CVE-2008-0456 Apache 'mod_negotiation' HTML Injection and HTTP Response Splitting Vulnerability
Date Wed, 11 Mar 2009 23:47:31 GMT

           Summary: CVE-2008-0456 Apache 'mod_negotiation' HTML Injection
                    and HTTP Response Splitting Vulnerability
           Product: Apache httpd-2
           Version: 2.2.9
          Platform: All
        OS/Version: All
            Status: NEW
          Keywords: RFC
          Severity: normal
          Priority: P2
         Component: mod_negotiation

Created an attachment (id=23371)
 --> (
fix, applies to 2.2.9

When mod_negotiation returns a 406 response when serving a file whose name
includes whitespace or other special characters, those characters are not
escaped in the Alternates: header.

Similarly, the Content-Location: header is not escaped.

As a result, content negotiation will probably not work with such files.  There
is also a security impact: a user who can control the name of files on a web
server could inject responses that appear to come from other web sites served
by the same system.

On Mac OS X, this may be reproduced by

touch ~/Sites/'junk
Header: Injected

and then requesting


The CVE description claims the bug is present in 2.2.6 and earlier.  I have
confirmed it in 2.2.9.  Possibly all Apache versions that support content
negotiation are affected.

A patch is attached.

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message