Oracle HTTP Server Cross Site Scripting Vulnerabillity
From: Rafel Ivgi, The-Insider (theinsider_at_012.net.il)
Date: 01/24/04
- Previous message: Donato Ferrante: "Tiny Server 1.1 (1.0.5) Multiple Vulnerabilities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "bugtraq" <bugtraq@securityfocus.com> Date: Sat, 24 Jan 2004 11:54:21 +0200
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Software: Oracle HTTP Server Powered by Apache
Vendor: http://www.apache.com
http://www.oracle.com
Versions: Oracle HTTP Server Powered by Apache/1.3.22 (Win32)
mod_plsql/3.0.9.8.3b mod_ssl/2.8.5 OpenSSL/0.9.6b mod_fastcgi/2.2.12
mod_oprocmgr/1.0 mod_perl/1.25
Platforms: Windows
Bug: Cross Site Scripting Vulnerabillity
Risk: Low
Exploitation: Remote with browser
Date: 24 Jan 2004
Author: Rafel Ivgi, The-Insider
e-mail: the_insider@mail.com
web: http://theinsider.deep-ice.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1) Introduction
2) Bug
3) The Code
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
===============
1) Introduction
===============
Apache is the most common unix server in the world. It is strong and safe.
Oracle HTTP Server is a modified, custom apache server that was created by
apache for oracle.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
======
2) Bug
======
The Vulnerabillity is Cross Site Scripting. If an attacker will request the
In the words of securityfocus.com :
If all of these circumstances are met, an attacker may be able to exploit
Attacks of this nature may make it possible for attackers to manipulate web
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
===========
http:// ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
following
url from the server:
http://
SS')%3c/script%3e\&password=dsfsd%3cscript%3ealert('XSS')%3c/script%3e
Or
http://
XSS appears and the server allows an attacker to inject & execute scripts.
~~~~~~~~~~~~~~~~~~~~~~~~~~
this issue
via a malicious link containing arbitrary HTML and script code as part of
the hostname.
When the malicious link is clicked by an unsuspecting user, the
attacker-supplied HTML
and script code will be executed by their web client. This will occur
because the server
will echo back the malicious hostname supplied in the client's request,
without sufficiently
escaping HTML and script code.
content or to
steal cookie-based authentication credentials. It may be possible to take
arbitrary actions as the victim user.
3) The Code
===========
SS')%3c/script%3e\&password=dsfsd%3cscript%3ealert('XSS')%3c/script%3e
http://
---
Rafel Ivgi, The-Insider
http://theinsider.deep-ice.com
"Things that are unlikeable, are NOT impossible."
Relevant Pages
... An attacker can view ANY file in the system and execute ... The bug I have found about the directory traversal can be classified ... The bug was shown to the Apache Group some minutes after it's being ... obtaining more info about the server (important if the administrator ...
(Bugtraq)
... Upon reffering to http://>/<anyfile>.html the html ... contains the local path of the server on the machine. ... XSS appears and the server allows an attacker to inject & execute ... and script code will be executed by their web client. ...
(Bugtraq)
... freesco edited thttpd and published their own version. ... XSS appears and the server allows an attacker to inject & execute scripts. ... and script code will be executed by their web client. ...
(Bugtraq)
... The network being protected by the router or firewall is still vulnerable to ... > circumvented - the administrator has explicitly allowed HTTP traffic on ... this exploit has the effect of allowing the attacker to send *INBOUND* HTTP ... The HTTP server (located on the internal network or anywhere else that is ...
(Security-Basics)
... The exploit allows an attacker to use any JavaScript-enabled web browser ... any HTTP server behind the firewall. ... outlined in the section "Quick-Swap DNS". ... If the client in use is Microsoft Internet Explorer, ...
(Securiteam)
