Bug 177913 - CVE-2005-3352 mod_imagemap XSS in FC5test2
Summary: CVE-2005-3352 mod_imagemap XSS in FC5test2
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: httpd
Version: 5
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Joe Orton
QA Contact:
URL:
Whiteboard: impact=moderate,public=20051212,repor...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-01-16 12:59 UTC by Mark J. Cox
Modified: 2007-11-30 22:11 UTC (History)
0 users

Fixed In Version: 2.2.0-5
Clone Of:
Environment:
Last Closed: 2006-02-03 10:41:14 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Mark J. Cox 2006-01-16 12:59:10 UTC
From http://issues.apache.org/bugzilla/show_bug.cgi?id=37874

Summary:

A flaw in the imagemap processing module, mod_imap, in versions of Apache httpd
1.3, 2.0 and 2.2 can in some circumstances cause the referer header to be output
without being escaped in HTML.  This could allow an attacker who is able to
influence the referer header the ability to do cross-site scripting attacks
against sites using mod_imap in a vulnerable configuration.

Impact: 

moderate (http://httpd.apache.org/security/impact_levels.html)

Mitigation:

This flaw only affects sites using mod_imap with a map file that contains the
"referer" directive.

In order to exploit this flaw the attacker would need to control the  referer
header and therefore would need to entice a victim to visit a URL under the
attackers control.

A sucessful cross-site scripting attack using this flaw would be limited to
certain browsers.  Firefox and Mozilla browsers for example already escape
suspect characters in a URL which blocks this from being exploited.

Solution:

The attached patch ensures that the referer header in mod_imap is escaped and
therefore cannot be used as part of a cross-site scripting attack.

Where this patch cannot be used, a temporary solution is to remove the "referer"
directive from any map files.

Verification:

I was able to verify this by constructing a victim site with a vulnerable
mod_imap configuration and by constructing a set of scripts on the attacker
site.  When the attackers site was visited using the Internet Explorer browser
it was able to steal the users private cookies from the victim site.

Patches available at the above URL

Comment 1 Mark J. Cox 2006-01-31 08:18:36 UTC
ping!  if fixed in rawhide please close this bug, otherwise please try to fix
this before FC5Test3 (Feb 6)

Comment 2 Joe Orton 2006-02-03 10:41:14 UTC
Fixed in 2.2.0-5.


Note You need to log in before you can comment on or make changes to this bug.