Bug 46837 - CVE-2008-0456 Apache 'mod_negotiation' HTML Injection and HTTP Response Splitting Vulnerability
Summary: CVE-2008-0456 Apache 'mod_negotiation' HTML Injection and HTTP Response Split...
Status: RESOLVED FIXED
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_negotiation (show other bugs)
Version: 2.2.9
Hardware: All All
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL: http://web.nvd.nist.gov/view/vuln/det...
Keywords: RFC
Depends on:
Blocks:
 
Reported: 2009-03-11 16:47 UTC by Geoff Keating
Modified: 2009-05-10 08:15 UTC (History)
0 users



Attachments
fix, applies to 2.2.9 (897 bytes, patch)
2009-03-11 16:47 UTC, Geoff Keating
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Geoff Keating 2009-03-11 16:47:30 UTC
Created attachment 23371 [details]
fix, applies to 2.2.9

When mod_negotiation returns a 406 response when serving a file whose name includes whitespace or other special characters, those characters are not escaped in the Alternates: header.

Similarly, the Content-Location: header is not escaped.

As a result, content negotiation will probably not work with such files.  There is also a security impact: a user who can control the name of files on a web server could inject responses that appear to come from other web sites served by the same system.

On Mac OS X, this may be reproduced by

touch ~/Sites/'junk
Header: Injected
blah:.jpg'

and then requesting

http://localhost/~$USER/junk%0aHeader:%20Injected%0ablah:

The CVE description claims the bug is present in 2.2.6 and earlier.  I have confirmed it in 2.2.9.  Possibly all Apache versions that support content negotiation are affected.

A patch is attached.
Comment 1 Joe Orton 2009-03-12 01:54:49 UTC
I think this was considered a misconfiguration, not a bug.

http://marc.info/?l=apache-httpd-dev&m=120220806715363&w=2
Comment 2 Ruediger Pluem 2009-03-12 02:31:36 UTC
Thanks for the patch. Committed as r752812 to trunk.
Comment 3 Ruediger Pluem 2009-05-10 08:15:26 UTC
Backported to 2.2.x as r752812.