Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-disclosure] [VulnWatch] Apache/PHP REQUEST_METHOD XSS Vulnerab

from [Michal Majchrowicz] Network Security [Permanent Link]
Subject: Re: [Full-disclosure] [VulnWatch] Apache/PHP REQUEST_METHOD XSS Vulnerability
Date: Tue, 24 Apr 2007 12:51:18 +0200 
Hi.
I am talking about standard apache installation. And there is
something like this only:
 <Directory /home/*/public_html>
       AllowOverride FileInfo AuthConfig Limit -Indexes
       Options MultiViews -Indexes SymLinksIfOwnerMatch IncludesNoExec
       <Limit GET POST OPTIONS PROPFIND>
           Order allow,deny
           Allow from all
      </Limit>
      <LimitExcept GET POST OPTIONS PROPFIND>
           Order deny,allow
           Deny from all
      </LimitExcept>
   </Directory>
Regards Michal.

On 4/24/07, Bennett, Steve <s.bennett@lancaster.ac.uk> wrote:



There exist a flaw in a way how Apache and php combination handle the
$_SERVER array.
If the programmer writes scrip like this:
<?php
              echo $_SERVER['REQUEST_METHOD'];
?>
He will assume that REQUEST_METHOD can only by: GET,POST,OPTIONS,TRACE
and all that stuff. However this is not true, since Apache accepts
requests that look like this:
GET<script>alert(document.coookie);</script> /test.php HTTP/1.0
And the output for this would be:
GET<script>alert(document.coookie);</script>
Of course it is hard to exploit (I think some Flash might help ;)) and
I don't know if it is exploitable at all. But programmers should be
warned about this behaviour. You can't trust any  variable in the
$_SERVER table!


Hi Michal,

I think you're mistaken in this. Perhaps you have a broken apache config
file?

It's standard to have something like the following in access control
sections:
    <Limit GET POST OPTIONS PROPFIND>
        Order allow,deny
        Allow from all
    </Limit>
    <LimitExcept GET POST OPTIONS PROPFIND>
        Order deny,allow
        Deny from all
    </LimitExcept>

This limits request methods to be (in this case) one of "GET", "POST",
"OPTIONS" and "PROPFIND". Any other values result in a 403 error (and
yes I've tested this).

I agree with the sentiment that applications should be paranoid about
any external input, but I don't see any way that the method you describe
can be exploited except on a deliberately misconfigured system.

Steve.



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Full-disclosure] Apache Illegal Request Handling Possible XSS Vulnerability, Kradorex Xeron
Next by Date:  Re: [Full-disclosure] Apache Illegal Request Handling Possible XSS Vulnerability, KJKHyperion
Previous by Thread:  Re: [Full-disclosure] Apache/PHP REQUEST_METHOD XSS Vulnerability, Vincent Archer
Next by Thread:  [Full-disclosure] Apache Illegal Request Handling Possible XSS Vulnerability, Michal Majchrowicz
Indexes:  [Date] [Thread] [Top] [All Lists]