Re: [Full-disclosure] Apache Illegal Request Handling Possible XSS Vulnerability



Michal Majchrowicz wrote:
Okay so let's assume that there cany "anything" as the request. But
there has to be something that handles this request? If there is no
"handler" for request "<script>" Apache should return error page. And
what about protocol version? You didn't answer this question.
Regards Michal.

The handler here is your script - there's no way for apache to
know what your script does. It is the responsibility of the script
to raise an error in this case.

To be precise the HTTP specification (RFC 2616) says a method is:

Method = "OPTIONS" ; Section 9.2
| "GET" ; Section 9.3
| "HEAD" ; Section 9.4
| "POST" ; Section 9.5
| "PUT" ; Section 9.6
| "DELETE" ; Section 9.7
| "TRACE" ; Section 9.8
| "CONNECT" ; Section 9.9
| extension-method
extension-method = token

Now, token is defined by these productions:

token = 1*<any CHAR except CTLs or separators>

CHAR = <any US-ASCII character (octets 0 - 127)>

separators = "(" | ")" | "<" | ">" | "@"
| "," | ";" | ":" | "\" | <">
| "/" | "[" | "]" | "?" | "="
| "{" | "}" | SP | HT

CTL = <any US-ASCII control character
(octets 0 - 31) and DEL (127)>

So that implies that Apache is being slightly lax in passing arbitrary
content. However, there is no fixed list of valid methods as you can
define your own as an extension-method. This is used by a number of
protocols. Apache should probably raise an error if the method
contains characters outside these defined productions.

Cheers

Rich.



On 4/24/07, Richard Moore <rich@xxxxxxxxxxxxxxxx> wrote:
Michal Majchrowicz wrote:
Hi.
I think that server should have a list of valid requests. In fact
Apache warns you sometimes that valid requests are:
"GET/POST/TRACE/OPTIONS". The solution that it just accepts everything
as request and protocol makes no sense. What kind of protocol is

It makes lots of sense as I said - protocols like WebDAV are
layered on top of HTTP and are implemented in apache using the
exact same API as PHP uses. They need to add methods like PROPFIND
etc. Unless they are required to define the exact set of verbs
supported by every page then there's no way to define a fixed
list.

I do however agree that it could be restricted to something like
[A-Z0-9]+ as I said.

Cheers

Rich.

"<script>"?
Regards Michal.

On 4/24/07, Richard Moore <rich@xxxxxxxxxxxxxxxx> wrote:
Michal Majchrowicz wrote:
Hi.
I think now we can classify this as flaw in Apache. It accepts
requests that simply make no sense. Take a look at this example:
<script>alert(document.cookie);</script> /test.php
<script>alert(document.cookie);</script>
In some circumstances it may cause XSS vulnerability:
<?php
echo $_SERVER['REQUEST_METHOD'];
echo $_SERVER['SERVER_PROTOCOL'];
?>

As Kradorex Xeron said, that's a flaw in the script. Apache needs
to let arbitrary verbs through to the PHP (or other server extension)
otherwise tools like webdav that require additional verbs could not
be implemented. It is possibly arguable that it should restrict the
verbs to a single alphanumeric string, but it certainly can't be
counted on to be just GET/POST etc.

Cheers

Rich.

I am now investigating other possible attacks.
Regards Michal Majchrowicz.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




--
Richard Moore, Principal Software Engineer,
Westpoint Ltd,
Albion Wharf, 19 Albion Street, Manchester, M1 5LN, England
Tel: +44 161 237 1028
Fax: +44 161 237 1031





--
Richard Moore, Principal Software Engineer,
Westpoint Ltd,
Albion Wharf, 19 Albion Street, Manchester, M1 5LN, England
Tel: +44 161 237 1028
Fax: +44 161 237 1031





--
Richard Moore, Principal Software Engineer,
Westpoint Ltd,
Albion Wharf, 19 Albion Street, Manchester, M1 5LN, England
Tel: +44 161 237 1028
Fax: +44 161 237 1031

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • Re: [Full-disclosure] Apache Illegal Request Handling Possible XSS Vulnerability
    ... Is there anywhere described which chars can be used in protocol ... The handler here is your script - there's no way for apache to ... I think that server should have a list of valid requests. ... Albion Wharf, 19 Albion Street, Manchester, M1 5LN, England ...
    (Full-Disclosure)
  • RE: Winnt/Win2k Vuln ?
    ... specifying the underlying protocol, ... expect file system requests to be carried over the web. ... And you should need a separate client for FTP. ... A web BROWSER, also by definition, BROWSES the web. ...
    (Vuln-Dev)
  • Apache/Tomcat Denial Of Service And Information Leakage Vulnerability
    ... mod_jk 1.2 using Apache Jserv Protocol 1.3 ... Tomcat 4.x Server ... A client may connect to the target machine and deliver several requests ... response back over the connection. ...
    (Bugtraq)
  • Re: And even more PASSTHRU :-)
    ... StandingBy flag is "set" when the underlying adapter or the virtual miniport ... D0 -even if- the underlying adapter is still in sleep. ... protocols will try to send OID requests down. ... the underlying adapter is still in sleep, then protocol will not like it. ...
    (microsoft.public.development.device.drivers)
  • [9fans] 9p question: rationale for some missing POSIX-like operations and features
    ... Today I've introduced myself to the 9P protocol, ... someone could easily map HTTP requests over the ... headers, then do a write, then do query (to obtain the ... response headers), and then do read. ...
    (comp.os.plan9)