A cross-site scripting (XSS) flaw was found in the way mod_negotiation (MIME types tracking and arbitration module) of httpd, the Apache HTTP server, performed escaping of filenames arguments in to be created / provided HTML variant list (part of the choice response or HTTP 406 status body). When a site has mod_negotiation module enabled and allowed untrusted file uploads to locations with MultiViews enabled, a remote attacker could use this flaw to execute arbitrary HTML or webscript via specially-crafted filename argument provided to the mod_negotiation module. Relevant upstream patch (against 2.2.x branch): http://svn.apache.org/viewvc?view=revision&revision=1374421 Upstream security page (covering also this issue): http://httpd.apache.org/security/vulnerabilities_24.html References: http://mail-archives.apache.org/mod_mbox/www-announce/201208.mbox/%3C0BFFEA9B-801B-4BAA-9534-56F640268E30@apache.org%3E http://www.apache.org/dist/httpd/CHANGES_2.4.3
This issue affects the versions of the httpd package, as shipped with Red Hat Enterprise Linux 5 and 6. -- This issue affects the version of the httpd package, as shipped with JBoss Enterprise Web Server 1. -- This issue affects the version of the httpd package, as shipped with JBoss Enterprise Application Platform 6 (re-bundled JBoss Enterprise Web Server 1 version is provided as part of JBEAP 6.0.0). -- This issue affects the versions of the httpd package, as shipped with Fedora release of 16 and 17. Please schedule an update.
Created httpd tracking bugs for this issue Affects: fedora-all [bug 851144]
Statement: (none)
RHEL 3 and 4 also appear to be affected, if you look at the code change for httpd 2.2: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/mappers/mod_negotiation.c?r1=1374421&r2=1374420&pathrev=1374421 If you grab the last httpd source rpms for RHEL 3/4 httpd: httpd-2.0.46-77.ent.src.rpm and httpd-2.0.52-49.ent.src.rpm the code is virtually identical to that in 2.2 so chances are they are also affected as well. The following information provides potential workaround(s) for this issue, please note that these workarounds have not been extensively tested by Red Hat and may impact system performance and availability. 1) disable the mod_negotiation module edit /etc/httpd/conf/httpd.conf and comment out the line: LoadModule negotiation_module modules/mod_negotiation.so Please note that this will of course impact any negotiated content/use thereof. 2) Either remove "MultiViews" from the "Options" lines in Directory specifications in httpd.conf if it has been added (by default MultiViews are not enabled). Alternatively to make sure it is disabled change: <Directory /> Options FollowSymLinks AllowOverride None </Directory> to: <Directory /> Options FollowSymLinks -MultiViews AllowOverride None </Directory> the "-MultiViews" explicitly disables it. Disabling MultiViews is probably the least impactful and easiest to implement and track of the workarounds.
This issue does not affect default or common configurations. Following conditions must be met for the configuration to be vulnerable: * the mod_negotiation module has to be enabled and used * attackers can upload or create arbitrarily named files in a directory on the server * the directory attackers can upload file to/create files in has to have the mod_negotiation "MultiViews" option enabled Note that any uploads form untrusted users should be carefully sanitized. If users can upload e.g. HTML files, they can perform XSS attacks regardless of this mod_negotiation bug. Following mitigations can be considered for vulnerable configurations: * restrict characters that can be used in the uploaded file names * disable mod_negotiation module, or disable MultiViews option for any directories that contain uploaded content
From the upstream httpd 2.2 security page: http://httpd.apache.org/security/vulnerabilities_22.html Note: This issue is also known as CVE-2008-0455.
According to the upstream httpd 2.2 security page, a fix was released in httpd 2.2.23 on 13 September 2012. Is Red Hat currently backporting this for RHEL5 and other httpd 2.2.x releases?
Yes. The fix should appear in httpd errata in the next minor releases of both Red Hat Enterprise Linux 5 and 6. Possibly earlier if a security erratum is needed for httpd. This is rated as having low security impact (see comments above), hence there's no plan to issue update only correcting this issue.
(In reply to comment #14) > From the upstream httpd 2.2 security page: > http://httpd.apache.org/security/vulnerabilities_22.html > > Note: This issue is also known as CVE-2008-0455. This is because the issue was previously reported as a security issue via: http://www.mindedsecurity.com/MSA01150108.html That report identified two possible consequences of allowing arbitrarily named files in a directory with MultiViews enabled: - cross-site scripting - CVE-2008-0455 - HTTP response splitting - CVE-2008-0456 These issues were handled as low priority issues upstream, not really having a security impact (as if you allow uploading files with arbitrary names to a location that is served by httpd, you likely have other bigger problems). As a consequence, only the second of the two problems got corrected properly at the time. Few years later, XSS problem was re-discovered and got fixed under new CVE - CVE-2012-2687, which really is a duplicate of CVE-2008-0455. References: http://thread.gmane.org/gmane.comp.apache.devel/33207 https://issues.apache.org/bugzilla/show_bug.cgi?id=46837 http://svn.apache.org/viewvc?view=revision&revision=752812
This issue has been addressed in following products: JBEAP 6 for RHEL 5 Via RHSA-2012:1591 https://rhn.redhat.com/errata/RHSA-2012-1591.html
This issue has been addressed in following products: JBEAP 6 for RHEL 6 Via RHSA-2012:1592 https://rhn.redhat.com/errata/RHSA-2012-1592.html
This issue has been addressed in following products: JBoss Enterprise Application Platform 6.0.1 Via RHSA-2012:1594 https://rhn.redhat.com/errata/RHSA-2012-1594.html
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2013:0130 https://rhn.redhat.com/errata/RHSA-2013-0130.html
httpd-2.2.23-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2013:0512 https://rhn.redhat.com/errata/RHSA-2013-0512.html