Apache HTTP Server mod_ssl "Host:" header cross-site scripting

apache-modssl-host-xss (10457)

Medium Risk

Description:

The mod_ssl authentication module is vulnerable to cross-site scripting, caused by improper filtering of server signature data by Server Side Include (SSI) error pages. If the 'UseCanonicalName' option is disabled and the wildcard Domain Name System (DNS) is enabled, a remote attacker could create a specially-crafted URL request containing URL encoded script that would cause a malicious HTTP "Host:" header to be submitted to the server. Once the victim clicks the URL and the HTTP "Host:" header is processed, the embedded script would then be executed in the victim's browser within the security context of the hosting site. An attacker could use this vulnerability to hijack Web content, steal the victim's cookie-based authentication credentials, and potentially compromise the affected Web server.

Consequences:

Gain Access

Remedy:

Upgrade to the latest version of mod_ssl (2.8.12-1.3.27 or later), available from the mod_ssl Web site. See References.

For Debian GNU/Linux:
Upgrade to the latest libapache-mod-ssl package, as listed below. Refer to DSA-181-1 for more information. See References.

Debian GNU/Linux 2.2 (potato): 2.4.10-1.3.9-1potato4 or later

Debian GNU/Linux 3.0 (woody): 2.8.9-2.1 or later

For OpenPKG:
Upgrade to the latest apache package, as listed below. Refer to OpenPKG Security Advisory OpenPKG-SA-2002.010 for more information. See References.

OpenPKG 1.0: 1.3.22-1.0.6 or later
OpenPKG 1.1: 1.3.26-1.1.2 or later
OpenPKG CURRENT: 1.3.27-20021023 or later

For Mandrake Linux:
Upgrade to the latest mod_ssl package, as listed below. Refer to MandrakeSoft Security Advisory MDKSA-2001:072 : fetchmail for more information. See References.

Linux-Mandrake 7.2 , 8.0, 8.1 and Single Network Firewall 7.2: 2.8.5-3.2mdk or later
Mandrake Linux 8.2: 2.8.7-3.2mdk or later
Mandrake Linux 9.0: 2.8.4-5.2mdk or later

For Gentoo Linux:
Upgrade to the latest net-www/mod_ssl package. Refer to Gentoo Linux Security Announcement 200210-009 for upgrade instructions. See References.

For EnGarde Secure Linux: Community Edition: Upgrade to the latest apache package (1.3.27-1.0.33 or later), as listed in EnGarde Secure Linux Security Advisory ESA-20021029-027. See References.

For Conectiva Linux:
Upgrade to the latest apache package, as listed below. Refer to Conectiva Linux Announcement CLSA-2002:541 for more information. See References.

Conectiva Linux 6.0: 1.3.26-1U60_5cl or later
Conectiva Linux 7.0: 1.3.26-1U70_8cl or later
Conectiva Linux 8.0: 1.3.26-1U80_5cl or later

For Red Hat Linux:
Upgrade to the latest apache, mod_ssl or httpd package, as listed below. Refer to RHSA-2002:222-21. See References.

apache:
Red Hat 6.2: 1.3.27-1.6.2 or later
Red Hat 7.0 and 7.1: 1.3.27-1.7.1 or later
Red Hat 7.2 and 7.3: 1.3.27-1.7.2 or later

mod_ssl:
Red Hat 7.0 and 7.1: 2.8.12-1.7 or later
Red Hat 7.2 and 7.3: 2.8.12-2 or later
Red Hat 8.0: 2.0.40-11 or later

httpd:
Red Hat 8.0: 2.0.40-11 or later

For other distributions:
Contact your vendor for upgrade or patch information.

References:

• Conectiva Linux Announcement CLSA-2002:541: Cross site scripting vulnerability in mod_ssl.
• EnGarde Secure Linux Security Advisory ESA-20021029-027: apache.
• Gentoo Linux Security Announcement 200210-009: mod_ssl.
• mod_ssl Web site: mod_ssl: The Apache Interface to OpenSSL.
• BID-6029: Mod_SSL Wildcard DNS Cross Site Scripting Vulnerability
• CVE-2002-1157: Cross-site scripting vulnerability in the mod_ssl Apache module 2.8.9 and earlier, when UseCanonicalName is off and wildcard DNS is enabled, allows remote attackers to execute script as other web site visitors, via the server name in an HTTPS response on the SSL port, which is used in a self-referencing URL, a different vulnerability than CAN-2002-0840.
• DSA-181: libapache-mod-ssl -- cross site scripting
• MDKSA-2002:072: Updated mod_ssl packages fix cross-site scripting vulnerability
• MDKSA-2003:024: Updated packages fix multiple vulnerabilities
• OSVDB ID: 2107: Apache HTTP Server mod_ssl Host: Header XSS
• RHSA-2002-222: Updated apache
• RHSA-2002-248: apache
• RHSA-2002-251: apache security update
• RHSA-2003-106: Updated apache and mod_ssl packages available

Platforms Affected:

• Apache HTTP Server 1.3.26
• Apache HTTP Server 1.3.9
• Conectiva Linux 6.0
• Conectiva Linux 7.0
• Conectiva Linux 8.0
• Debian Debian Linux 2.2
• Debian Debian Linux 3.0
• EngardeLinux Secure Linux
• Gentoo Linux
• MandrakeSoft Mandrake Linux 7.2
• MandrakeSoft Mandrake Linux 8.0 PPC
• MandrakeSoft Mandrake Linux 8.0
• MandrakeSoft Mandrake Linux 8.1 IA64
• MandrakeSoft Mandrake Linux 8.1
• MandrakeSoft Mandrake Linux 8.2 PPC
• MandrakeSoft Mandrake Linux 8.2
• MandrakeSoft Mandrake Linux 9.0
• MandrakeSoft Mandrake Single Network Firewall 7.2
• ModSSL Mod SSL 2.4.10
• ModSSL Mod SSL 2.8.9
• OpenPKG OpenPKG 1.0
• OpenPKG OpenPKG 1.1
• OpenPKG OpenPKG CURRENT
• RedHat Enterprise Linux 2.1 AS
• RedHat Linux 6.2
• RedHat Linux 7
• RedHat Linux 7.1
• RedHat Linux 7.1 for iSeries
• RedHat Linux 7.1 for pSeries
• RedHat Linux 7.2
• RedHat Linux 7.3
• RedHat Linux 8.0
• RedHat Linux Advanced Workstation 2.1 Itanium
• RedHat Stronghold

Reported:

Oct 22, 2002

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page