Bug 850794 (CVE-2008-0455, CVE-2012-2687)
Summary: | CVE-2012-2687 CVE-2008-0455 httpd: mod_negotiation XSS via untrusted file names in directories with MultiViews enabled | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | djorm, dosboss64, dsirrine, gary.p.anderson, jkaluza, jorton, pahan, pcheung, weli |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | httpd 2.2.23, httpd 2.4.3 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-05-08 17:26:22 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 787597, 851144, 853390, 854009 | ||
Bug Blocks: | 850799, 855229, 881519 |
Description
Jan Lieskovsky
2012-08-22 12:41:31 UTC
This issue affects the versions of the httpd package, as shipped with Red Hat Enterprise Linux 5 and 6. -- This issue affects the version of the httpd package, as shipped with JBoss Enterprise Web Server 1. -- This issue affects the version of the httpd package, as shipped with JBoss Enterprise Application Platform 6 (re-bundled JBoss Enterprise Web Server 1 version is provided as part of JBEAP 6.0.0). -- This issue affects the versions of the httpd package, as shipped with Fedora release of 16 and 17. Please schedule an update. Created httpd tracking bugs for this issue Affects: fedora-all [bug 851144] Statement: (none) RHEL 3 and 4 also appear to be affected, if you look at the code change for httpd 2.2: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/mappers/mod_negotiation.c?r1=1374421&r2=1374420&pathrev=1374421 If you grab the last httpd source rpms for RHEL 3/4 httpd: httpd-2.0.46-77.ent.src.rpm and httpd-2.0.52-49.ent.src.rpm the code is virtually identical to that in 2.2 so chances are they are also affected as well. The following information provides potential workaround(s) for this issue, please note that these workarounds have not been extensively tested by Red Hat and may impact system performance and availability. 1) disable the mod_negotiation module edit /etc/httpd/conf/httpd.conf and comment out the line: LoadModule negotiation_module modules/mod_negotiation.so Please note that this will of course impact any negotiated content/use thereof. 2) Either remove "MultiViews" from the "Options" lines in Directory specifications in httpd.conf if it has been added (by default MultiViews are not enabled). Alternatively to make sure it is disabled change: <Directory /> Options FollowSymLinks AllowOverride None </Directory> to: <Directory /> Options FollowSymLinks -MultiViews AllowOverride None </Directory> the "-MultiViews" explicitly disables it. Disabling MultiViews is probably the least impactful and easiest to implement and track of the workarounds. This issue does not affect default or common configurations. Following conditions must be met for the configuration to be vulnerable: * the mod_negotiation module has to be enabled and used * attackers can upload or create arbitrarily named files in a directory on the server * the directory attackers can upload file to/create files in has to have the mod_negotiation "MultiViews" option enabled Note that any uploads form untrusted users should be carefully sanitized. If users can upload e.g. HTML files, they can perform XSS attacks regardless of this mod_negotiation bug. Following mitigations can be considered for vulnerable configurations: * restrict characters that can be used in the uploaded file names * disable mod_negotiation module, or disable MultiViews option for any directories that contain uploaded content From the upstream httpd 2.2 security page: http://httpd.apache.org/security/vulnerabilities_22.html Note: This issue is also known as CVE-2008-0455. According to the upstream httpd 2.2 security page, a fix was released in httpd 2.2.23 on 13 September 2012. Is Red Hat currently backporting this for RHEL5 and other httpd 2.2.x releases? Yes. The fix should appear in httpd errata in the next minor releases of both Red Hat Enterprise Linux 5 and 6. Possibly earlier if a security erratum is needed for httpd. This is rated as having low security impact (see comments above), hence there's no plan to issue update only correcting this issue. (In reply to comment #14) > From the upstream httpd 2.2 security page: > http://httpd.apache.org/security/vulnerabilities_22.html > > Note: This issue is also known as CVE-2008-0455. This is because the issue was previously reported as a security issue via: http://www.mindedsecurity.com/MSA01150108.html That report identified two possible consequences of allowing arbitrarily named files in a directory with MultiViews enabled: - cross-site scripting - CVE-2008-0455 - HTTP response splitting - CVE-2008-0456 These issues were handled as low priority issues upstream, not really having a security impact (as if you allow uploading files with arbitrary names to a location that is served by httpd, you likely have other bigger problems). As a consequence, only the second of the two problems got corrected properly at the time. Few years later, XSS problem was re-discovered and got fixed under new CVE - CVE-2012-2687, which really is a duplicate of CVE-2008-0455. References: http://thread.gmane.org/gmane.comp.apache.devel/33207 https://issues.apache.org/bugzilla/show_bug.cgi?id=46837 http://svn.apache.org/viewvc?view=revision&revision=752812 This issue has been addressed in following products: JBEAP 6 for RHEL 5 Via RHSA-2012:1591 https://rhn.redhat.com/errata/RHSA-2012-1591.html This issue has been addressed in following products: JBEAP 6 for RHEL 6 Via RHSA-2012:1592 https://rhn.redhat.com/errata/RHSA-2012-1592.html This issue has been addressed in following products: JBoss Enterprise Application Platform 6.0.1 Via RHSA-2012:1594 https://rhn.redhat.com/errata/RHSA-2012-1594.html This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2013:0130 https://rhn.redhat.com/errata/RHSA-2013-0130.html httpd-2.2.23-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2013:0512 https://rhn.redhat.com/errata/RHSA-2013-0512.html |