httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 46837] New: CVE-2008-0456 Apache 'mod_negotiation' HTML Injection and HTTP Response Splitting Vulnerability
Date Wed, 11 Mar 2009 23:47:31 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=46837

           Summary: CVE-2008-0456 Apache 'mod_negotiation' HTML Injection
                    and HTTP Response Splitting Vulnerability
           Product: Apache httpd-2
           Version: 2.2.9
          Platform: All
               URL: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-20
                    08-0456
        OS/Version: All
            Status: NEW
          Keywords: RFC
          Severity: normal
          Priority: P2
         Component: mod_negotiation
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: geoffk@apple.com


Created an attachment (id=23371)
 --> (https://issues.apache.org/bugzilla/attachment.cgi?id=23371)
fix, applies to 2.2.9

When mod_negotiation returns a 406 response when serving a file whose name
includes whitespace or other special characters, those characters are not
escaped in the Alternates: header.

Similarly, the Content-Location: header is not escaped.

As a result, content negotiation will probably not work with such files.  There
is also a security impact: a user who can control the name of files on a web
server could inject responses that appear to come from other web sites served
by the same system.

On Mac OS X, this may be reproduced by

touch ~/Sites/'junk
Header: Injected
blah:.jpg'

and then requesting

http://localhost/~$USER/junk%0aHeader:%20Injected%0ablah:

The CVE description claims the bug is present in 2.2.6 and earlier.  I have
confirmed it in 2.2.9.  Possibly all Apache versions that support content
negotiation are affected.

A patch is attached.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message