XSS vulnerability in mod_negotiation - status in 2.2.8?

[Boyle Owen <Ow...@swx.com>]

Greetings,

Our security guy noticed this alert about a XSS vulnerability in
mod_negotiation: http://www.mindedsecurity.com/MSA01150108.html.
According to the link, it applies to apache <= 2.2.6, so no worries for
2.2.8.

However, when I double-check the changelog for 2.2.8
(http://www.apache.org/dist/httpd/CHANGES_2.2.8) there is no specific
mention of a patch in mod_negotiation...

>From a quick inspection of the source code, there was no change to
mod_negotiation.c between 2.2.6 and 2.2.8 so can I conclude that the
vulnerability is still present in 2.2.8? (ie, can it have been handled
at a higher level?)

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored.
 
 
This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. The sender's company reserves the right to monitor all e-mail communications through their networks.

Re: XSS vulnerability in mod_negotiation - status in 2.2.8?

["William A. Rowe, Jr." <wr...@rowe-clan.net>]

Joshua Slive wrote:
> On Feb 5, 2008 5:40 AM, Boyle Owen <Ow...@swx.com> wrote:
>> Greetings,
>>
>> Our security guy noticed this alert about a XSS vulnerability in
>> mod_negotiation: http://www.mindedsecurity.com/MSA01150108.html.
>> According to the link, it applies to apache <= 2.2.6, so no worries for
>> 2.2.8.

The author of that post was already advised this isn't a vulnerability.
As they want egg on their face for flailing their arms about, surely you
aren't surprised their notes wouldn't otherwise be correct with respect
to the applicable version, are you?

> If I remember correctly, the security does not consider this a
> vulnerability. To do the XSS you need control of filenames on the
> server. If you have that, you probably have much-more-straightforward
> ways to steal cookies.

Bingo.  If you can create a file, you can author a XSS page. There simply
is not a vulnerability here.

> There might be a very-few badly-configured sites that are vulnerable
> to this, so it should be fixed. But it is not a serious security
> issue.

Disagree; it is a flaw, the names should be escaped, but there's absolutely
no reason to fix this for 'vulnerable' sites, their misconfiguration is far
more insidious if it has permit this, and it's considered an XSS in their
context.

Bill

Re: XSS vulnerability in mod_negotiation - status in 2.2.8?

[Joshua Slive <jo...@slive.ca>]

On Feb 5, 2008 5:40 AM, Boyle Owen <Ow...@swx.com> wrote:
> Greetings,
>
> Our security guy noticed this alert about a XSS vulnerability in
> mod_negotiation: http://www.mindedsecurity.com/MSA01150108.html.
> According to the link, it applies to apache <= 2.2.6, so no worries for
> 2.2.8.
>
> However, when I double-check the changelog for 2.2.8
> (http://www.apache.org/dist/httpd/CHANGES_2.2.8) there is no specific
> mention of a patch in mod_negotiation...
>
> From a quick inspection of the source code, there was no change to
> mod_negotiation.c between 2.2.6 and 2.2.8 so can I conclude that the
> vulnerability is still present in 2.2.8? (ie, can it have been handled
> at a higher level?)

If I remember correctly, the security does not consider this a
vulnerability. To do the XSS you need control of filenames on the
server. If you have that, you probably have much-more-straightforward
ways to steal cookies.

There might be a very-few badly-configured sites that are vulnerable
to this, so it should be fixed. But it is not a serious security
issue.

Joshua.

RE: XSS vulnerability in mod_negotiation - status in 2.2.8?

[Boyle Owen <Ow...@swx.com>]

> -----Original Message-----
> From: Stefan Fritsch [mailto:sf@sfritsch.de] 
> Sent: Wednesday, February 06, 2008 12:57 PM
> To: dev@httpd.apache.org
> Subject: RE: XSS vulnerability in mod_negotiation - status in 2.2.8?
> 
> Hi,
> 
> On Wed, 6 Feb 2008, Boyle Owen wrote:
> 
> > It is clear to me now that this is a storm in a teacup. I 
> note also that
> > the "vulnerability" never made it to the CVE database so I 
> think we can
> > decide on "no further action".
> 
> That's not true. CVE-2008-0455 and CVE-2008-0456 have been 
> assigned to 
> this issue. 

I stand corrected... 

I should have said that the Google site search on CVE doesn't find
anything about this issue when given search strings "MSA01150108" or
"mod_negotiation". The more specific key-search page comes up trumps,
however.

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored. 

> Maybe the apache security team should contact 
> mitre so that 
> these entries are marked as disputed.
> 
> Cheers,
> Stefan
>
 
 
This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. The sender's company reserves the right to monitor all e-mail communications through their networks.

RE: XSS vulnerability in mod_negotiation - status in 2.2.8?

[Stefan Fritsch <sf...@sfritsch.de>]

Hi,

On Wed, 6 Feb 2008, Boyle Owen wrote:

> It is clear to me now that this is a storm in a teacup. I note also that
> the "vulnerability" never made it to the CVE database so I think we can
> decide on "no further action".

That's not true. CVE-2008-0455 and CVE-2008-0456 have been assigned to 
this issue. Maybe the apache security team should contact mitre so that 
these entries are marked as disputed.

Cheers,
Stefan

RE: XSS vulnerability in mod_negotiation - status in 2.2.8?

[Boyle Owen <Ow...@swx.com>]

It is clear to me now that this is a storm in a teacup. I note also that
the "vulnerability" never made it to the CVE database so I think we can
decide on "no further action".

Thanks to Joshua and William for their helpful insights.

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored. 

> -----Original Message-----
> From: Boyle Owen [mailto:Owen.Boyle@swx.com] 
> Sent: Tuesday, February 05, 2008 11:40 AM
> To: dev@httpd.apache.org
> Subject: XSS vulnerability in mod_negotiation - status in 2.2.8?
> 
> Greetings,
> 
> Our security guy noticed this alert about a XSS vulnerability in
> mod_negotiation: http://www.mindedsecurity.com/MSA01150108.html.
> According to the link, it applies to apache <= 2.2.6, so no 
> worries for
> 2.2.8.
> 
> However, when I double-check the changelog for 2.2.8
> (http://www.apache.org/dist/httpd/CHANGES_2.2.8) there is no specific
> mention of a patch in mod_negotiation...
> 
> From a quick inspection of the source code, there was no change to
> mod_negotiation.c between 2.2.6 and 2.2.8 so can I conclude that the
> vulnerability is still present in 2.2.8? (ie, can it have been handled
> at a higher level?)
> 
> Rgds,
> Owen Boyle
> Disclaimer: Any disclaimer attached to this message may be ignored.
>  
>  
> This message is for the named person's use only. It may 
> contain confidential, proprietary or legally privileged 
> information. If you receive this message in error, please 
> notify the sender urgently and then immediately delete the 
> message and any copies of it from your system. Please also 
> immediately destroy any hardcopies of the message. The 
> sender's company reserves the right to monitor all e-mail 
> communications through their networks.
>
 
 
This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. The sender's company reserves the right to monitor all e-mail communications through their networks.