Release of 2.0.43

["William A. Rowe, Jr." <wr...@rowe-clan.net>]

Since all of these issues are now public, I'm moving the discussion over
to the dev list.

First, +1 to the patch below.  With nothing else put forward, this 
is the patch that will go into 2.0.43

I've already moved it to apply_to_2.0.42 since, after the public
disclosure, there is nothing standing in the way of revealing the
fix to this vulnerability posted (prematurely) this morning on 
bugtraq.

Ryan indicates that the fix for POST applied to dav/main/mod_dav.c
he committed earlier solves that problem.

There is a tag WROWE_2_0_43_PRE2 containing the bugfixes
applied to the tree since 2.0.42, excluding the changes for --bindir,
Berkley 4.1 and auth.

Please check out and test that tag.  Per my own and Brad Nicholes
observations, it builds on Win32 and Netware.

I'm prepared to tag and roll this release tommorow before 9am PDT.

Bill


>Subject: [PATCH] Re: Apache 404 Page Security Hole
>From: Brian Pane <br...@apache.org>
>Date: 21 Sep 2002 10:27:54 -0700
>
>Here's a patch that escapes the address produced by
>ap_server_signature().
>
>In the patch, I'm also HTML-escaping the SERVER_NAME
>environment variable that's set for CGI and SSI requests.
>A CGI script could use SERVER_NAME in some context other
>than HTML, of course, but I think it's safe to do the
>escaping because it only affects '<', '>', and '&',
>which shouldn't appear in a valid hostname.
>
>Brian
>
>On Sat, 2002-09-21 at 07:15, Dirk-Willem van Gulik wrote:
>> 
>> I've been off line for the last few days - was this acknowledged (to help
>> us keep this queit until patched). Cursory test seems to suggest it is
>> valid.
>>  
>> Dw
>> 
>> On Fri, 20 Sep 2002, Matthew Murphy wrote:
>> 
>> > In most cases, the Apache HTTPd protects well against cross-site scripting
>> > in its error output.  However, the "<address>" tag that Apache returns is
>> > vulnerable to a cross-site scripting issue.  The problem occurs because of
>> > wildcard support on some hosts.  If a domain pointing to an Apache HTTPd has
>> > wildcards enabled (in other words, all sub-domains that do not exist simply
>> > re-direct to the primary one), HTML markup can be passed as a subdomain, and
>> > apache will return it.
>> >
>> > This is a serious vulnerability as it allows stealing cookies from any
>> > Apache domain that uses them; this could enable theft of session
>> > authentication data or other personal information from users of some sites.
>> >
>> > http://%3CIMG%20SRC%3D%22%22%20ONERROR%3D%22document%2Edomain%3D%27apachesit
>> > e%2Eorg%27%3Balert%28document%2Ecookie%29%22%3E.apachesite.org/404
>> >
>> > Will return this on a working Apache server with wildcards allowed:
>> >
>> > <address>Apache/2.0.39 Server at <img src=""
>> > onerror="document.domain='apachesite.org';alert(document.cookie)">.apachesit
>> > e.org Port 80</address>