Red Hat has released an additional security advisory and updated packages to address the Apache HTTP Server mod_negotiation cross-site scripting vulnerability.
Apache HTTP Server contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary script code in the browser session of a user.
The vulnerability is caused by the way the mod_negotiation module handles filenames in "406 Not Acceptable" and "300 Multiple Choices" responses. An unauthenticated, remote attacker could exploit the vulnerability by uploading a file with a malicious name and convincing the user to follow a link containing the filename. An exploit could result in the execution of arbitrary script code in the user's browser session in the security context of the site.
Proof-of-concept URLs are available.
Apache has not confirmed the vulnerability; however, third-party updates are available.
The following versions of Apache HTTP Server are vulnerable:
Apache HTTP Server versions including 2.2.6 and prior
Apache HTTP Server 1.3.39 and prior
Apache HTTP Server 2.0.61 and prior
Although Apache has acknowledged that this issue is a flaw, they do not believe it is a vulnerability. If a server is configured to allow remote, unauthenticated users to save files on the server, any number of other vulnerabilities and cross-site scripting exploits could be introduced to the system.
Apache 2.2.8 and higher are reported as being invulnerable to these attacks, but there is no clear indication what has changed in the code base. Administrators are advised to secure the configuration in cases where the flaw could be exploited.
Gentoo has released a security advisory at the following link: GLSA 200803-19
An unauthenticated, remote attacker could exploit the vulnerability to execute arbitrary script code in a user's browser session in the security context of a vulnerable site. The attacker could leverage this ability to access cookie-based authentication credentials or perform actions on the site as the user.
The mod_negotiation module is used in Apache to select content, such as the language selection, that best matches the characteristics and capabilities of the client requesting the information. The vulnerability in certain pages within mod_negotiation occurs because it does not escape HTML content that is passed to it from the server. An attacker could upload files with names that include scripts that can be executed within a user's browser if they can convince the user to visit a URL that directs to a "406 Not Acceptable" or "300 Multiple Choices" page. Since these pages do not sanitize the file names, the file names are read as parameters, which are then executed as scripts.
Administrators are advised to apply the appropriate updates.
Administrators are advised to configure Apache servers to deny attempts to create files from unauthenticated, remote users.
Administrators are advised not to configure mod_negotiation unless necessary for specific business operations.
Users are advised not to follow links from untrusted sources. Users are advised to verify the authenticity of unexpected links from trusted sources prior to following them.
Gentoo administrators can use the emerge command to obtain the following updated package: www-servers/apache-2.2.8
Red Hat has released updated software for registered subscribers at the following link: Red Hat Network. Red Hat packages can be updated on Red Hat Enterprise Linux versions 5 and later using the yum tool.
Version 3, January 9, 2013, 7:17 AM: Red Hat has released an additional security advisory and updated packages to address the Apache HTTP Server mod_negotiation cross-site scripting vulnerability.
Version 2, December 19, 2012, 7:36 AM: Red Hat has released multiple security advisories and updated packages to address the Apache HTTP Server mod_negotiation cross-site scripting vulnerability.
Version 1, March 23, 2009, 2:38 PM: The Apache HTTP Server contains a cross-site scripting vulnerability in the mod_negotiation module that could allow an unauthenticated, remote attacker to execute arbitrary script code in the user's browser session. Updates are available.
The security vulnerability applies to the following combinations of products.
Apache Software Foundation
Apache HTTP Server
1.3 Base | 1.3.1 Base | 1.3.2 Base | 1.3.3 Base | 1.3.4 Base | 1.3.6 Base | 1.3.7 Base | 1.3.9 Base | 1.3.11 Base | 1.3.12 Base | 1.3.13 Base | 1.3.14 Base | 1.3.15 Base | 1.3.16 Base | 1.3.17 Base | 1.3.18 Base | 1.3.19 Base | 1.3.20 Base | 1.3.22 Base | 1.3.23 Base | 1.3.24 Base | 1.3.25 Base | 1.3.26 Base | 1.3.27 Base | 1.3.28 Base | 1.3.29 Base | 1.3.30 Base | 1.3.31 Base | 1.3.32 Base | 1.3.33 Base | 1.3.34 Base | 1.3.35 Base | 1.3.36 Base | 1.3.37 Base | 1.3.39 Base | 2.0 Base | 2.0.28 Base | 2.0.29 Base | 2.0.30 Base | 2.0.31 Base | 2.0.32 Base | 2.0.33 Base | 2.0.34 Base | 2.0.35 Base | 2.0.36 Base | 2.0.37 Base | 2.0.38 Base | 2.0.39 Base | 2.0.40 Base | 2.0.41 Base | 2.0.42 Base | 2.0.43 Base | 2.0.44 Base | 2.0.45 Base | 2.0.46 Base | 2.0.47 Base | 2.0.48 Base | 2.0.49 Base | 2.0.50 Base | 2.0.51 Base | 2.0.52 Base | 2.0.53 Base | 2.0.54 Base | 2.0.55 Base | 2.0.56 Base | 2.0.57 Base | 2.0.58 Base | 2.0.59 Base | 2.0.61 Base | 2.2 .0, .1, .2, .3, .4, .6
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.