ISS X-Force Database: apache-modssl-host-xss(10457): Apache HTTP Server mod

Apache HTTP Server mod_ssl "Host:" header cross-site scripting

apache-modssl-host-xss (10457)

Medium Risk

Description:

The mod_ssl authentication module is vulnerable to cross-site scripting, caused by improper filtering of server signature data by Server Side Include (SSI) error pages. If the 'UseCanonicalName' option is disabled and the wildcard Domain Name System (DNS) is enabled, a remote attacker could create a specially-crafted URL request containing URL encoded script that would cause a malicious HTTP "Host:" header to be submitted to the server. Once the victim clicks the URL and the HTTP "Host:" header is processed, the embedded script would then be executed in the victim's browser within the security context of the hosting site. An attacker could use this vulnerability to hijack Web content, steal the victim's cookie-based authentication credentials, and potentially compromise the affected Web server.

Platforms Affected:

Apache, HTTP Server 1.3.26
Apache, HTTP Server 1.3.9
Conectiva, Linux 6.0
Conectiva, Linux 7.0
Conectiva, Linux 8.0
Debian, Debian Linux 2.2
Debian, Debian Linux 3.0
EngardeLinux, Secure Linux
Gentoo, Linux
MandrakeSoft, Mandrake Linux 7.2
MandrakeSoft, Mandrake Linux 8.0 PPC
MandrakeSoft, Mandrake Linux 8.0
MandrakeSoft, Mandrake Linux 8.1
MandrakeSoft, Mandrake Linux 8.1 IA64
MandrakeSoft, Mandrake Linux 8.2
MandrakeSoft, Mandrake Linux 8.2 PPC
MandrakeSoft, Mandrake Linux 9.0
MandrakeSoft, Mandrake Single Network Firewall 7.2
OpenPKG, OpenPKG 1.0
OpenPKG, OpenPKG 1.1
OpenPKG, OpenPKG CURRENT
Ralf S. Engelschall, mod_ssl 2.4.10
Ralf S. Engelschall, mod_ssl 2.8.9
RedHat, Enterprise Linux 2.1 AS
RedHat, Linux 6.2
RedHat, Linux 7
RedHat, Linux 7.1
RedHat, Linux 7.1 for iSeries
RedHat, Linux 7.1 for pSeries
RedHat, Linux 7.2
RedHat, Linux 7.3
RedHat, Linux 8.0
RedHat, Linux Advanced Workstation 2.1 Itanium
RedHat, Stronghold

Remedy:

Upgrade to the latest version of mod_ssl (2.8.12-1.3.27 or later), available from the mod_ssl Web site. See References.

For Debian GNU/Linux:
Upgrade to the latest libapache-mod-ssl package, as listed below. Refer to DSA-181-1 for more information. See References.

Debian GNU/Linux 2.2 (potato): 2.4.10-1.3.9-1potato4 or later

Debian GNU/Linux 3.0 (woody): 2.8.9-2.1 or later

For OpenPKG:
Upgrade to the latest apache package, as listed below. Refer to OpenPKG Security Advisory OpenPKG-SA-2002.010 for more information. See References.

OpenPKG 1.0: 1.3.22-1.0.6 or later
OpenPKG 1.1: 1.3.26-1.1.2 or later
OpenPKG CURRENT: 1.3.27-20021023 or later

For Mandrake Linux:
Upgrade to the latest mod_ssl package, as listed below. Refer to MandrakeSoft Security Advisory MDKSA-2001:072 : fetchmail for more information. See References.

Linux-Mandrake 7.2 , 8.0, 8.1 and Single Network Firewall 7.2: 2.8.5-3.2mdk or later
Mandrake Linux 8.2: 2.8.7-3.2mdk or later
Mandrake Linux 9.0: 2.8.4-5.2mdk or later

For Gentoo Linux:
Upgrade to the latest net-www/mod_ssl package. Refer to Gentoo Linux Security Announcement 200210-009 for upgrade instructions. See References.

For EnGarde Secure Linux: Community Edition: Upgrade to the latest apache package (1.3.27-1.0.33 or later), as listed in EnGarde Secure Linux Security Advisory ESA-20021029-027. See References.

For Conectiva Linux:
Upgrade to the latest apache package, as listed below. Refer to Conectiva Linux Announcement CLSA-2002:541 for more information. See References.

Conectiva Linux 6.0: 1.3.26-1U60_5cl or later
Conectiva Linux 7.0: 1.3.26-1U70_8cl or later
Conectiva Linux 8.0: 1.3.26-1U80_5cl or later

For Red Hat Linux:
Upgrade to the latest apache, mod_ssl or httpd package, as listed below. Refer to RHSA-2002:222-21. See References.

apache:
Red Hat 6.2: 1.3.27-1.6.2 or later
Red Hat 7.0 and 7.1: 1.3.27-1.7.1 or later
Red Hat 7.2 and 7.3: 1.3.27-1.7.2 or later

mod_ssl:
Red Hat 7.0 and 7.1: 2.8.12-1.7 or later
Red Hat 7.2 and 7.3: 2.8.12-2 or later
Red Hat 8.0: 2.0.40-11 or later

httpd:
Red Hat 8.0: 2.0.40-11 or later

For other distributions:
Contact your vendor for upgrade or patch information.

Consequences:

Gain Access

References:

Conectiva Linux Announcement CLSA-2002:541, Cross site scripting vulnerability in mod_ssl at http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000541.
EnGarde Secure Linux Security Advisory ESA-20021029-027, apache at http://www.linuxsecurity.com/content/view/104273/109/.
Gentoo Linux Security Announcement 200210-009, mod_ssl at http://archives.neohapsis.com/archives/bugtraq/2002-10/0374.html.
mod_ssl Web site, mod_ssl: The Apache Interface to OpenSSL at http://www.modssl.org/.
BID-6029: Mod_SSL Wildcard DNS Cross Site Scripting Vulnerability
CVE-2002-1157: Cross-site scripting vulnerability in the mod_ssl Apache module 2.8.9 and earlier, when UseCanonicalName is off and wildcard DNS is enabled, allows remote attackers to execute script as other web site visitors, via the server name in an HTTPS response on the SSL port, which is used in a self-referencing URL, a different vulnerability than CAN-2002-0840.
DSA-181: libapache-mod-ssl -- cross site scripting
MDKSA-2002:072: Updated mod_ssl packages fix cross-site scripting vulnerability
MDKSA-2003:024: Updated packages fix multiple vulnerabilities
OSVDB ID: 2107: Apache HTTP Server mod_ssl Host: Header XSS
RHSA-2002-222: Updated apache
RHSA-2002-248: apache
RHSA-2002-251: apache security update
RHSA-2003-106: Updated apache and mod_ssl packages available

Reported:

Oct 22, 2002

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page