Summary: | XSS in Error Page | ||
---|---|---|---|
Product: | Apache httpd-2 | Reporter: | greyhat |
Component: | Core | Assignee: | Apache HTTPD Bugs Mailing List <bugs> |
Status: | RESOLVED WONTFIX | ||
Severity: | major | ||
Priority: | P2 | ||
Version: | 2.4.25 | ||
Target Milestone: | --- | ||
Hardware: | PC | ||
OS: | All | ||
Attachments: | Hove over the link and see the payload |
I have the same issue for aim-server[~/tmp/deti_dohtur]$ httpd -M Loaded Modules: core_module (static) so_module (static) http_module (static) authz_core_module (shared) access_compat_module (shared) socache_shmcb_module (shared) include_module (shared) mime_module (shared) log_config_module (shared) env_module (shared) headers_module (shared) setenvif_module (shared) ssl_module (shared) mpm_event_module (shared) unixd_module (shared) autoindex_module (shared) suexec_module (shared) negotiation_module (shared) dir_module (shared) actions_module (shared) userdir_module (shared) alias_module (shared) rewrite_module (shared) fastcgi_module (shared) aim-server[~/tmp/deti_dohtur]$ httpd -V Server version: Apache/2.4.25 (Unix) Server built: May 21 2017 22:05:06 Server's Module Magic Number: 20120211:67 Server loaded: APR 1.5.2, APR-UTIL 1.5.4 Compiled using: APR 1.5.2, APR-UTIL 1.5.4 Architecture: 64-bit Server MPM: event threaded: yes (fixed thread count) forked: yes (variable process count) Server compiled with.... -D APR_HAS_SENDFILE -D APR_HAS_MMAP -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) -D APR_USE_SYSVSEM_SERIALIZE -D APR_USE_PTHREAD_SERIALIZE -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT -D APR_HAS_OTHER_CHILD -D AP_HAVE_RELIABLE_PIPED_LOGS -D DYNAMIC_MODULE_LIMIT=256 -D HTTPD_ROOT="/etc/httpd" -D SUEXEC_BIN="/usr/bin/suexec" -D DEFAULT_PIDLOG="/run/httpd/httpd.pid" -D DEFAULT_SCOREBOARD="logs/apache_runtime_status" -D DEFAULT_ERRORLOG="logs/error_log" -D AP_TYPES_CONFIG_FILE="conf/mime.types" -D SERVER_CONFIG_FILE="conf/httpd.conf" aim-server[~/tmp/deti_dohtur]$ httpd -l Compiled in modules: core.c mod_so.c http_core.c aim-server[~/tmp/deti_dohtur]$ uname -a Linux aim-server.crtdev.local 4.11.3-1-ARCH #1 SMP PREEMPT Sun May 28 10:40:17 CEST 2017 x86_64 GNU/Linux aim-server[~/tmp/deti_dohtur]$ It seems you have to change the templates likes /usr/share/httpd/error/HTTP_NOT_FOUND.html.var sanitize the HTTP_REFERER variable We do not treat this as a security issue. Due to it requiring a malicious referer header it is not possible to leverage this issue in any form of practical XSS attack |
Created attachment 32983 [details] Hove over the link and see the payload Setup Details : Apache/2.4.12 (Win32) OpenSSL/1.0.1m PHP/5.6.11 Request to server: GET /not_existing_link HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: javascript:alert(1)//452bce05 Cookie: _ga=GA1.1.1225409471.1439004440; _gat=1 Connection: keep-alive When we send the above request to the server, the script in the referer header (Referer: javascript:alert(1)//452bce05) gets embedded in the error page. This gets executed when the user clicks on the link.(Image attached) The same can be used for SELF XSS. Recommendation: Convert respective characters from the referer header into their HTML entities.