Red Hat Bugzilla – Full Text Bug Listing
|Summary:||CVE-2012-2687 CVE-2008-0455 httpd: mod_negotiation XSS via untrusted file names in directories with MultiViews enabled|
|Product:||[Other] Security Response||Reporter:||Jan Lieskovsky <jlieskov>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED ERRATA||QA Contact:|
|Version:||unspecified||CC:||djorm, dosboss64, dsirrine, gary.p.anderson, jkaluza, jorton, pahan, pcheung, weli|
|Fixed In Version:||httpd 2.2.23, httpd 2.4.3||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2013-05-08 13:26:22 EDT||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:||787597, 851144, 853390, 854009|
|Bug Blocks:||850799, 855229, 881519|
Description Jan Lieskovsky 2012-08-22 08:41:31 EDT
A cross-site scripting (XSS) flaw was found in the way mod_negotiation (MIME types tracking and arbitration module) of httpd, the Apache HTTP server, performed escaping of filenames arguments in to be created / provided HTML variant list (part of the choice response or HTTP 406 status body). When a site has mod_negotiation module enabled and allowed untrusted file uploads to locations with MultiViews enabled, a remote attacker could use this flaw to execute arbitrary HTML or webscript via specially-crafted filename argument provided to the mod_negotiation module. Relevant upstream patch (against 2.2.x branch): http://svn.apache.org/viewvc?view=revision&revision=1374421 Upstream security page (covering also this issue): http://httpd.apache.org/security/vulnerabilities_24.html References: http://mail-archives.apache.org/mod_mbox/www-announce/201208.mbox/%3C0BFFEA9B-801B-4BAA-9534-56F640268E30@apache.org%3E http://www.apache.org/dist/httpd/CHANGES_2.4.3
Comment 2 Jan Lieskovsky 2012-08-23 06:43:34 EDT
This issue affects the versions of the httpd package, as shipped with Red Hat Enterprise Linux 5 and 6. -- This issue affects the version of the httpd package, as shipped with JBoss Enterprise Web Server 1. -- This issue affects the version of the httpd package, as shipped with JBoss Enterprise Application Platform 6 (re-bundled JBoss Enterprise Web Server 1 version is provided as part of JBEAP 6.0.0). -- This issue affects the versions of the httpd package, as shipped with Fedora release of 16 and 17. Please schedule an update.
Comment 3 Jan Lieskovsky 2012-08-23 06:44:38 EDT
Created httpd tracking bugs for this issue Affects: fedora-all [bug 851144]
Comment 7 Stefan Cornelius 2012-08-31 07:22:18 EDT
Comment 12 Kurt Seifried 2012-09-07 13:38:52 EDT
RHEL 3 and 4 also appear to be affected, if you look at the code change for httpd 2.2: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/mappers/mod_negotiation.c?r1=1374421&r2=1374420&pathrev=1374421 If you grab the last httpd source rpms for RHEL 3/4 httpd: httpd-2.0.46-77.ent.src.rpm and httpd-2.0.52-49.ent.src.rpm the code is virtually identical to that in 2.2 so chances are they are also affected as well. The following information provides potential workaround(s) for this issue, please note that these workarounds have not been extensively tested by Red Hat and may impact system performance and availability. 1) disable the mod_negotiation module edit /etc/httpd/conf/httpd.conf and comment out the line: LoadModule negotiation_module modules/mod_negotiation.so Please note that this will of course impact any negotiated content/use thereof. 2) Either remove "MultiViews" from the "Options" lines in Directory specifications in httpd.conf if it has been added (by default MultiViews are not enabled). Alternatively to make sure it is disabled change: <Directory /> Options FollowSymLinks AllowOverride None </Directory> to: <Directory /> Options FollowSymLinks -MultiViews AllowOverride None </Directory> the "-MultiViews" explicitly disables it. Disabling MultiViews is probably the least impactful and easiest to implement and track of the workarounds.
Comment 13 Stefan Cornelius 2012-09-12 06:25:51 EDT
This issue does not affect default or common configurations. Following conditions must be met for the configuration to be vulnerable: * the mod_negotiation module has to be enabled and used * attackers can upload or create arbitrarily named files in a directory on the server * the directory attackers can upload file to/create files in has to have the mod_negotiation "MultiViews" option enabled Note that any uploads form untrusted users should be carefully sanitized. If users can upload e.g. HTML files, they can perform XSS attacks regardless of this mod_negotiation bug. Following mitigations can be considered for vulnerable configurations: * restrict characters that can be used in the uploaded file names * disable mod_negotiation module, or disable MultiViews option for any directories that contain uploaded content
Comment 14 Jan Lieskovsky 2012-09-19 12:25:34 EDT
From the upstream httpd 2.2 security page: http://httpd.apache.org/security/vulnerabilities_22.html Note: This issue is also known as CVE-2008-0455.
Comment 15 Gary Anderson 2012-11-07 11:42:20 EST
According to the upstream httpd 2.2 security page, a fix was released in httpd 2.2.23 on 13 September 2012. Is Red Hat currently backporting this for RHEL5 and other httpd 2.2.x releases?
Comment 16 Tomas Hoger 2012-11-07 15:38:51 EST
Yes. The fix should appear in httpd errata in the next minor releases of both Red Hat Enterprise Linux 5 and 6. Possibly earlier if a security erratum is needed for httpd. This is rated as having low security impact (see comments above), hence there's no plan to issue update only correcting this issue.
Comment 17 Tomas Hoger 2012-11-22 09:35:10 EST
(In reply to comment #14) > From the upstream httpd 2.2 security page: > http://httpd.apache.org/security/vulnerabilities_22.html > > Note: This issue is also known as CVE-2008-0455. This is because the issue was previously reported as a security issue via: http://www.mindedsecurity.com/MSA01150108.html That report identified two possible consequences of allowing arbitrarily named files in a directory with MultiViews enabled: - cross-site scripting - CVE-2008-0455 - HTTP response splitting - CVE-2008-0456 These issues were handled as low priority issues upstream, not really having a security impact (as if you allow uploading files with arbitrary names to a location that is served by httpd, you likely have other bigger problems). As a consequence, only the second of the two problems got corrected properly at the time. Few years later, XSS problem was re-discovered and got fixed under new CVE - CVE-2012-2687, which really is a duplicate of CVE-2008-0455. References: http://thread.gmane.org/gmane.comp.apache.devel/33207 https://issues.apache.org/bugzilla/show_bug.cgi?id=46837 http://svn.apache.org/viewvc?view=revision&revision=752812
Comment 18 errata-xmlrpc 2012-12-18 17:21:42 EST
This issue has been addressed in following products: JBEAP 6 for RHEL 5 Via RHSA-2012:1591 https://rhn.redhat.com/errata/RHSA-2012-1591.html
Comment 19 errata-xmlrpc 2012-12-18 17:33:34 EST
This issue has been addressed in following products: JBEAP 6 for RHEL 6 Via RHSA-2012:1592 https://rhn.redhat.com/errata/RHSA-2012-1592.html
Comment 20 errata-xmlrpc 2012-12-18 17:53:29 EST
This issue has been addressed in following products: JBoss Enterprise Application Platform 6.0.1 Via RHSA-2012:1594 https://rhn.redhat.com/errata/RHSA-2012-1594.html
Comment 24 errata-xmlrpc 2013-01-08 00:04:36 EST
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2013:0130 https://rhn.redhat.com/errata/RHSA-2013-0130.html
Comment 26 Fedora Update System 2013-02-11 23:59:08 EST
httpd-2.2.23-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.