Bug 46837

Summary: CVE-2008-0456 Apache 'mod_negotiation' HTML Injection and HTTP Response Splitting Vulnerability
Product: Apache httpd-2 Reporter: Geoff Keating <geoffk>
Component: mod_negotiationAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: RESOLVED FIXED    
Severity: normal Keywords: RFC
Priority: P2    
Version: 2.2.9   
Target Milestone: ---   
Hardware: All   
OS: All   
URL: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-0456
Attachments: fix, applies to 2.2.9

Description Geoff Keating 2009-03-11 16:47:30 UTC 
Created attachment 23371 [details]
fix, applies to 2.2.9

When mod_negotiation returns a 406 response when serving a file whose name includes whitespace or other special characters, those characters are not escaped in the Alternates: header.

Similarly, the Content-Location: header is not escaped.

As a result, content negotiation will probably not work with such files.  There is also a security impact: a user who can control the name of files on a web server could inject responses that appear to come from other web sites served by the same system.

On Mac OS X, this may be reproduced by

touch ~/Sites/'junk
Header: Injected
blah:.jpg'

and then requesting

http://localhost/~$USER/junk%0aHeader:%20Injected%0ablah:

The CVE description claims the bug is present in 2.2.6 and earlier.  I have confirmed it in 2.2.9.  Possibly all Apache versions that support content negotiation are affected.

A patch is attached.
Comment 1 Joe Orton 2009-03-12 01:54:49 UTC 
I think this was considered a misconfiguration, not a bug.

http://marc.info/?l=apache-httpd-dev&m=120220806715363&w=2
Comment 2 Ruediger Pluem 2009-03-12 02:31:36 UTC 
Thanks for the patch. Committed as r752812 to trunk.
Comment 3 Ruediger Pluem 2009-05-10 08:15:26 UTC 
Backported to 2.2.x as r752812.