[UNIX] Apache HTTP Server mod_proxy_ftp Wildcard Characters Cross-Site Scripting
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 29 Aug 2008 12:47:44 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
- - - - - - - - -
Apache HTTP Server mod_proxy_ftp Wildcard Characters Cross-Site Scripting
The mod_proxy_ftp module of the Apache HTTP Server is vulnerable to a
cross-site scripting vulnerability when handling requests with wildcard
characters (aka globbing characters).
* Apache HTTP Server version 2.2.9 (and earlier 2.2.x versions)
* Apache HTTP Server version 2.0.63 (and earlier 2.0.x versions)
* Apache HTTP Server 1.3.x (because mod_proxy_ftp doesn't support
Vendor status and information:
The developers were notified of this vulnerability on July 28, 2008 via
the private security mailing list security@xxxxxxxxxxx They acknowledged
it within 12 hours. On July 29, they assigned it a CVE ID. On August 5,
the vulnerability was fixed in all SVN branches:
Commit to main trunk:
Commit to 2.2 branch:
Commit to 2.0 branch:
When Apache HTTP Server is configured with proxy support ("ProxyRequests
On" in the configuration file), and when mod_proxy_ftp is enabled to
support FTP-over-HTTP, requests containing wildcard characters (asterisk,
tilde, opening square bracket, etc) such as:
GET ftp://host/*<foo> HTTP/1.0
lead to cross-site scripting in the response returned by mod_proxy_ftp:
<h2>Directory of <a href="/">ftp://host</a>/*<foo></h2>
To exploit this vulnerability, 'host' must be running an FTP server, and
the last directory component of the path (the XSS payload) must be
composed of at least 1 wildcard character and must not contain any forward
slashes. In practice, this last requirement is not an obstacle at all to
develop working exploits, example:
Upgrade to Apache HTTP Server 2.2.10 or 2.0.64 (as of August 6, these have
not been released yet), or apply the patch from SVN commit r682868.
The information has been provided by <mailto:marc_bevand@xxxxxxxxxx> Marc
The original article can be found at:
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [NT] Microsoft ASP.NET ValidateRequest Filters Bypassing Allows XSS And HTML Injection Attacks
- Next by Date: [EXPL] Sun Solaris snoop SMB Exploit
- Previous by thread: [NT] Microsoft ASP.NET ValidateRequest Filters Bypassing Allows XSS And HTML Injection Attacks
- Next by thread: [EXPL] Sun Solaris snoop SMB Exploit