tags:

views:

578

answers:

2
Q: 

Apache2 Undefined Charset UTF-7 XSS Vulnerability

Does anyone have an idea how can I fix this vulnerability in Apache 2.2.4, without upgrading the Web Server?

This is what I found about it on the net at SecurityReason. The fix suggested by them is to upgrade it to version 2.2.6. But the server is live and upgrading t is the last resort.

Apache2 XSS Undefined Charset UTF-7 XSS Vulnerability

The XSS(UTF7) exist in mod_autoindex.c . Charset is not defined and we can provide XSS attack using "P" option available in apache 2.2.4 by setting Charset to UTF-7.

"P=pattern lists only files matching the given pattern"

Please suggest a solution for this.

+1  A: 

Well, first up it's only going to affect you if you are using the mod_autoindex. If you're not then you can stop reading now as there is no vulnerability on code you're running (though ideally, don't start using this module until you've updated the server).

Otherwise, it seems that an attacker can exploit the fact that the character set is not explicitly set to embed their own script into a page given a particularly crafted URL. This URL would use the "P" parameter in order to specify a filter for the autoindexing; an example exploit has understandably not been given but presumably certain clever manipulating of text would allow the attacker to insert their own Javascript onto the returned page.

Hence it's a standard XSS attack (read the link if you're not familiar with the ramifications).

I would strongly suggest that you do upgrade, if you're affected, in order to get full security. Taking a website down for a while for security upgrades should be understood by its users, and it's much better than suffering an exploit. However, a workaround in the meantime would be to strip out any P parameters from incoming requests (assuming that no other pages on your site accept such a parameter, and that no other pages rely on passing filters to autoindexed pages), or even just disable the autoindexing mod altogether.

Andrzej Doyle  2009-01-15 12:22:52
Thanks, you are right -- but it didn't help the server pass the Vulnerability assessment test, so upgraded it.
Mohit Nanda  2009-02-10 07:15:45
A: 

I ended up updating to Apache 2.2.11!

However, dtsazza's answer was right, but MY VA testing team wouldn't buy it. :)

Mohit Nanda  2009-02-10 07:14:59

related questions

How do I add a MIME type to .htaccess?
Difference between the Apache HTTP Server and Apache Tomcat?
How do I support SSL Client Certificate authentication?
Why can't I connect to my CAS server with Perl's AuthCAS?
Cleanest & Fastest server setup for Django
Installing Apache Web Server on 64 Bit Mac
Running Apache alongside another web server?
Algorithm behind MD5Crypt
Can you compile Apache HTTP Server and redeploy its binaries to a different location ?
mod_rewrite rule to redirect all requests except for one specific path
How do I create a self signed SSL certificate to use while testing a web app.
Software for Webserver Log Analysis?
What is the difference between an endpoint, a service, and a port when working with webservices?
What are the proper permissions for an upload folder with PHP/Apache?
mod_rewrite to alias one file suffix type to another
How do you redirect HTTPS to HTTP?
Using mod_rewrite to Mimic SSL Virtual Hosts?
User authentication on Resin webserver
How do you set up Python scripts to work in Apache 2.0?
Block user access to internals of a site using HTTP_REFERER
.htaccess directives to *not* redirect certain URLs
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP