You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2009/03/12 00:47:31 UTC
DO NOT REPLY [Bug 46837] New: CVE-2008-0456 Apache 'mod_negotiation'
HTML Injection and HTTP Response Splitting Vulnerability
https://issues.apache.org/bugzilla/show_bug.cgi?id=46837
Summary: CVE-2008-0456 Apache 'mod_negotiation' HTML Injection
and HTTP Response Splitting Vulnerability
Product: Apache httpd-2
Version: 2.2.9
Platform: All
URL: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-20
08-0456
OS/Version: All
Status: NEW
Keywords: RFC
Severity: normal
Priority: P2
Component: mod_negotiation
AssignedTo: bugs@httpd.apache.org
ReportedBy: geoffk@apple.com
Created an attachment (id=23371)
--> (https://issues.apache.org/bugzilla/attachment.cgi?id=23371)
fix, applies to 2.2.9
When mod_negotiation returns a 406 response when serving a file whose name
includes whitespace or other special characters, those characters are not
escaped in the Alternates: header.
Similarly, the Content-Location: header is not escaped.
As a result, content negotiation will probably not work with such files. There
is also a security impact: a user who can control the name of files on a web
server could inject responses that appear to come from other web sites served
by the same system.
On Mac OS X, this may be reproduced by
touch ~/Sites/'junk
Header: Injected
blah:.jpg'
and then requesting
http://localhost/~$USER/junk%0aHeader:%20Injected%0ablah:
The CVE description claims the bug is present in 2.2.6 and earlier. I have
confirmed it in 2.2.9. Possibly all Apache versions that support content
negotiation are affected.
A patch is attached.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 46837] CVE-2008-0456 Apache 'mod_negotiation' HTML
Injection and HTTP Response Splitting Vulnerability
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=46837
Ruediger Pluem <rp...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED
--- Comment #3 from Ruediger Pluem <rp...@apache.org> 2009-05-10 08:15:26 PST ---
Backported to 2.2.x as r752812 ( https://svn.apache.org/viewcvs.cgi?view=rev&rev=752812 )
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 46837] CVE-2008-0456 Apache 'mod_negotiation' HTML
Injection and HTTP Response Splitting Vulnerability
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=46837
--- Comment #2 from Ruediger Pluem <rp...@apache.org> 2009-03-12 02:31:36 PST ---
Thanks for the patch. Committed as r752812 ( https://svn.apache.org/viewcvs.cgi?view=rev&rev=752812 )to trunk.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 46837] CVE-2008-0456 Apache 'mod_negotiation' HTML
Injection and HTTP Response Splitting Vulnerability
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=46837
--- Comment #1 from Joe Orton <jo...@redhat.com> 2009-03-12 01:54:49 PST ---
I think this was considered a misconfiguration, not a bug.
http://marc.info/?l=apache-httpd-dev&m=120220806715363&w=2
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org