Vulnerability Alert

Apache HTTP Server mod_negotiation Cross-Site Scripting Vulnerability

 
Threat Type:CWE-79: Cross-Site Scripting (XSS)
IntelliShield ID:17851
Version:4
First Published:2009 March 23 22:38 GMT
Last Published:2013 February 21 16:38 GMT
Port: Not available
CVE:CVE-2008-0455
BugTraq ID:27409
Urgency:Unlikely Use
Credibility:Confirmed
Severity:Mild Damage
CVSS Base:4.3 CVSS Calculator
CVSS Version 2.0
CVSS Temporal:3.5
 
Version Summary:Red Hat has released an additional security advisory and updated packages to address the Apache HTTP Server mod_negotiation cross-site scripting vulnerability.
 
 
Description
Apache HTTP Server contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary script code in the browser session of a user.

The vulnerability is caused by the way the mod_negotiation module handles filenames in "406 Not Acceptable" and "300 Multiple Choices" responses. An unauthenticated, remote attacker could exploit the vulnerability by uploading a file with a malicious name and convincing the user to follow a link containing the filename. An exploit could result in the execution of arbitrary script code in the user's browser session in the security context of the site.

Proof-of-concept URLs are available.

Apache has not confirmed the vulnerability; however, third-party updates are available.
 
Warning Indicators
The following versions of Apache HTTP Server are vulnerable:

Apache HTTP Server versions including 2.2.6 and prior
Apache HTTP Server 1.3.39 and prior
Apache HTTP Server 2.0.61 and prior

 
IntelliShield Analysis
Although Apache has acknowledged that this issue is a flaw, they do not believe it is a vulnerability. If a server is configured to allow remote, unauthenticated users to save files on the server, any number of other vulnerabilities and cross-site scripting exploits could be introduced to the system.

Apache 2.2.8 and higher are reported as being invulnerable to these attacks, but there is no clear indication what has changed in the code base. Administrators are advised to secure the configuration in cases where the flaw could be exploited.
 
Vendor Announcements
Gentoo has released a security advisory at the following link: GLSA 200803-19

Red Hat has released an official CVE statement and security advisories for bug 850794 at the following links: CVE-2008-0455, RHSA-2012:1591, RHSA-2012:1592, RHSA-2012:1594, RHSA-2013:0130, and RHSA-2013:0512
 
Impact
An unauthenticated, remote attacker could exploit the vulnerability to execute arbitrary script code in a user's browser session in the security context of a vulnerable site. The attacker could leverage this ability to access cookie-based authentication credentials or perform actions on the site as the user.
 
Technical Information
The mod_negotiation module is used in Apache to select content, such as the language selection, that best matches the characteristics and capabilities of the client requesting the information. The vulnerability in certain pages within mod_negotiation occurs because it does not escape HTML content that is passed to it from the server. An attacker could upload files with names that include scripts that can be executed within a user's browser if they can convince the user to visit a URL that directs to a "406 Not Acceptable" or "300 Multiple Choices" page. Since these pages do not sanitize the file names, the file names are read as parameters, which are then executed as scripts.
 
Safeguards
Administrators are advised to apply the appropriate updates.

Administrators are advised to configure Apache servers to deny attempts to create files from unauthenticated, remote users.

Administrators are advised not to configure mod_negotiation unless necessary for specific business operations.

Users are advised not to follow links from untrusted sources. Users are advised to verify the authenticity of unexpected links from trusted sources prior to following them.
 
Patches/Software
Gentoo administrators can use the emerge command to obtain the following updated package: www-servers/apache-2.2.8

Red Hat has released updated software for registered subscribers at the following link: Red Hat Network. Red Hat packages can be updated on Red Hat Enterprise Linux versions 5 and later using the yum tool.

Signatures
 
Cisco Intrusion Prevention System (IPS) 6.0
Signature IDSignature NameReleaseLatest Release Date
16094/0Apache HTTP Server mod_negotiation Cross Site ScriptingS4522009 Dec 01 
 
Alert History
 

Version 3, January 9, 2013, 7:17 AM: Red Hat has released an additional security advisory and updated packages to address the Apache HTTP Server mod_negotiation cross-site scripting vulnerability.

Version 2, December 19, 2012, 7:36 AM: Red Hat has released multiple security advisories and updated packages to address the Apache HTTP Server mod_negotiation cross-site scripting vulnerability.

Version 1, March 23, 2009, 2:38 PM: The Apache HTTP Server contains a cross-site scripting vulnerability in the mod_negotiation module that could allow an unauthenticated, remote attacker to execute arbitrary script code in the user's browser session.  Updates are available.



Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
Apache Software FoundationApache HTTP Server 1.3 Base | 1.3.1 Base | 1.3.2 Base | 1.3.3 Base | 1.3.4 Base | 1.3.6 Base | 1.3.7 Base | 1.3.9 Base | 1.3.11 Base | 1.3.12 Base | 1.3.13 Base | 1.3.14 Base | 1.3.15 Base | 1.3.16 Base | 1.3.17 Base | 1.3.18 Base | 1.3.19 Base | 1.3.20 Base | 1.3.22 Base | 1.3.23 Base | 1.3.24 Base | 1.3.25 Base | 1.3.26 Base | 1.3.27 Base | 1.3.28 Base | 1.3.29 Base | 1.3.30 Base | 1.3.31 Base | 1.3.32 Base | 1.3.33 Base | 1.3.34 Base | 1.3.35 Base | 1.3.36 Base | 1.3.37 Base | 1.3.39 Base | 2.0 Base | 2.0.28 Base | 2.0.29 Base | 2.0.30 Base | 2.0.31 Base | 2.0.32 Base | 2.0.33 Base | 2.0.34 Base | 2.0.35 Base | 2.0.36 Base | 2.0.37 Base | 2.0.38 Base | 2.0.39 Base | 2.0.40 Base | 2.0.41 Base | 2.0.42 Base | 2.0.43 Base | 2.0.44 Base | 2.0.45 Base | 2.0.46 Base | 2.0.47 Base | 2.0.48 Base | 2.0.49 Base | 2.0.50 Base | 2.0.51 Base | 2.0.52 Base | 2.0.53 Base | 2.0.54 Base | 2.0.55 Base | 2.0.56 Base | 2.0.57 Base | 2.0.58 Base | 2.0.59 Base | 2.0.61 Base | 2.2 .0, .1, .2, .3, .4, .6

Associated Products:
Red Hat, Inc.JBoss Enterprise Application Platform 6.0.0 Base | 6 EL5 IA-32, x86_64 | 6 EL6 IA-32, x86_64
Red Hat, Inc.Red Hat Enterprise Linux 5 IA-32, IA-64, PPC, ppc64, s390, s390x, x86_64
Red Hat, Inc.Red Hat Enterprise Linux Desktop 5 IA-32, x86_64 | 6 IA-32, x86_64
Red Hat, Inc.Red Hat Enterprise Linux Desktop Workstation 5 IA-32, x86-64
Red Hat, Inc.Red Hat Enterprise Linux HPC Node 6 x86_64
Red Hat, Inc.Red Hat Enterprise Linux Server 6 IA-32, PPC, PPC 64, s390, s390x, x86_64
Red Hat, Inc.Red Hat Enterprise Linux Workstation 6 IA-32, x86_64




Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service. This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment.


LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield