Bugtraq mailing list archives
Re: Apache Multiple Injection Vulnerabilities
From: Amit Klein <aksecurity () gmail com>
Date: Thu, 15 Feb 2007 20:39:19 +0200
hugo () infohacking com wrote:
There's a new advisory at: http://www.infohacking.com/INFOHACKING_RESEARCH/Our_Advisories/apache/index.html Summarizing: [...] b) Control codes injection -backspaces, etc.- thus allowing script injection in the server response. Right now it seems that this vulnerability is not affecting real browsers, just because of the "backspace" escaping in the clients, or due to other things. Anyway, the problem is that echoing back control codes is a violation of the Content-Type charset in the response and is IMHO a security risk.
Just a quick note: what you demonstrated is that "control characters" are returned in a response whose charset is "iso-8859-1". But your text later states that "ISO 8859-1 encodes ...". Notice the difference: "iso-8859-1" vs. "iso 8859-1" - hyphen vs. space. These are different character sets - iso-8859-1 is a superset of iso 8859-1, adding all those control characters and whatnot. From RFC-1345:
&charset ISO_8859-1:1987 &rem source: ECMA registry &alias iso-ir-100 &g1esc x2d41 &g2esc x2e41 &g3esc x2f41 &alias ISO_8859-1 &alias ISO-8859-1 &alias latin1 &alias l1 &alias IBM819 &alias CP819 &code 0 NU SH SX EX ET EQ AK BL BS HT LF VT FF CR SO SI DL D1 D2 D3 D4 NK SY EB CN EM SB EC FS GS RS US SP ! " Nb DO % & ' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? At A B C D E F G H I J K L M N O P Q R S T U V W X Y Z <( // )> '> _ '! a b c d e f g h i j k l m n o p q r s t u v w x y z (! !! !) '? DT PA HO BH NH IN NL SA ES HS HJ VS PD PU RI S2 S3 DC P1 P2 TS CC MW SG EG SS GC SC CI ST OC PM AC NS !I Ct Pd Cu Ye BB SE ': Co -a << NO -- Rg '- DG +- 2S 3S '' My PI .M ', 1S -o >> 14 12 34 ?I A! A' A> A? A: AA AE C, E! E' E> E: I! I' I> I: D- N? O! O' O> O? O: *X O/ U! U' U> U: Y' TH ss a! a' a> a? a: aa ae c, e! e' e> e: i! i' i> i: d- n? o! o' o> o? o: -: o/ u! u' u> u: y' th y: So those control characters are not in violation of the stated charset. Thanks, -Amit
Current thread:
- Apache Multiple Injection Vulnerabilities hugo (Feb 14)
- Re: Apache Multiple Injection Vulnerabilities Amit Klein (Feb 15)
- Re: Apache Multiple Injection Vulnerabilities Hugo Vázquez Caramés (Feb 15)
- Re: Apache Multiple Injection Vulnerabilities Amit Klein (Feb 20)
- <Possible follow-ups>
- RE: Apache Multiple Injection Vulnerabilities Rogier Mulhuijzen (Feb 15)
- Re: Apache Multiple Injection Vulnerabilities security (Feb 16)
- Re: Re: Apache Multiple Injection Vulnerabilities hugo (Feb 20)
- Re: Apache Multiple Injection Vulnerabilities Amit Klein (Feb 15)