Re: Apache Multiple Injection Vulnerabilities

[security () zeus com]

Vendor Response: Zeus Technology

Zeus have posted an assessment of this advisory, and how it affects users of Zeus Web Server at the following location:

http://support.zeus.com/zws/security/2007/02/15/location_http_header_injection_vulnerabi

A summary is as follows:

1. Zeus conforms that the "Error response arbitrary injection" method is not applicable to Zeus Web Server.

2. The "Location HTTP header injection" does affect Zeus Web Server, but only constitutes a vulnerability in a 
particular, uncommon use case for Zeus Web Server.

Assessment of the Location HTTP Header Injection vulnerability
-----------------------------------------------------------------

A web server should preserve a :port component in a URL when issuing a redirect.  This caters for the possibility that 
the public port is different to the actual internal port (for example, when running through a proxy on the same 
server).  

Webservers that preserve this information, such as Zeus Web Server, are behaving correctly in line with the HTTP 
specification (http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.23)

Zeus agree that preserving any path information in the host header is not correct behavior.  A more appropriate 
behaviour would be to return a 400 Bad Request response.

This problem should not affect ordinary web clients because no such clients will generate this erroneous host header 
value.

The author's assertion that a malicious attacker could use this behaviour to poison a web cache is incorrect in the 
vast majority of cases, because web caches ordinarily consider the host header when caching web responses.  The web 
cache could only be provoked into delivering the incorrect, cached response by sending a request with the fake host 
header.

A cache could be poisoned if it were deliberately configured to ignore the host header.  This would only be the case if 
the cache was acting as an acceleration device, fronting a single domain on one web server.

Zeus advise that if you are fronting Zeus Web Server with a reverse proxy cache that has been configured to ignore host 
headers, it may be possible to poison the cache and mount an effective Denial of Service attack.

Workaround

If you are concerned about this behaviour, you can configure Zeus Web Server to remove path and port components from 
host headers in a request. The following Request Rewriting rule can be applied to your virtual servers:

# Remove any trailing :port or /URL from Host header
match IN:Host into $ with ([^:/]*)
if matched then
  set IN:Host = $1
endif

Other Observations

Zeus Technology works closely with customers, evaluators, security professionals and other researchers to ensure its 
products are secure and free from defects. Any security-related comments received at security () zeus com, or through 
any other means, are treated as being of the utmost importance. Zeus respectfully requests that security issues are 
notified directly to Zeus before being publicly disclosed.