This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 850794 - (CVE-2008-0455, CVE-2012-2687) CVE-2012-2687 CVE-2008-0455 httpd: mod_negotiation XSS via untrusted file names in directories with MultiViews enabled
CVE-2012-2687 CVE-2008-0455 httpd: mod_negotiation XSS via untrusted file nam...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20120613,reported=2...
: Security
Depends On: 787597 851144 853390 854009
Blocks: 850799 855229 881519
  Show dependency treegraph
 
Reported: 2012-08-22 08:41 EDT by Jan Lieskovsky
Modified: 2016-03-04 06:48 EST (History)
9 users (show)

See Also:
Fixed In Version: httpd 2.2.23, httpd 2.4.3
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-05-08 13:26:22 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2012-08-22 08:41:31 EDT
A cross-site scripting (XSS) flaw was found in the way mod_negotiation (MIME types tracking and arbitration module) of httpd, the Apache HTTP server, performed escaping of filenames arguments in to be created / provided HTML variant list (part of the choice response or HTTP 406 status body). When a site has mod_negotiation module enabled and allowed untrusted file uploads to locations with MultiViews enabled, a remote attacker could use this flaw to execute arbitrary HTML or webscript via specially-crafted filename argument provided to the mod_negotiation module.

Relevant upstream patch (against 2.2.x branch):
http://svn.apache.org/viewvc?view=revision&revision=1374421

Upstream security page (covering also this issue):
http://httpd.apache.org/security/vulnerabilities_24.html

References:
http://mail-archives.apache.org/mod_mbox/www-announce/201208.mbox/%3C0BFFEA9B-801B-4BAA-9534-56F640268E30@apache.org%3E
http://www.apache.org/dist/httpd/CHANGES_2.4.3
Comment 2 Jan Lieskovsky 2012-08-23 06:43:34 EDT
This issue affects the versions of the httpd package, as shipped with Red Hat Enterprise Linux 5 and 6.

--

This issue affects the version of the httpd package, as shipped with
JBoss Enterprise Web Server 1.

--

This issue affects the version of the httpd package, as shipped with JBoss Enterprise Application Platform 6 (re-bundled JBoss Enterprise Web Server 1 version is provided as part of JBEAP 6.0.0).

--

This issue affects the versions of the httpd package, as shipped with Fedora release of 16 and 17. Please schedule an update.
Comment 3 Jan Lieskovsky 2012-08-23 06:44:38 EDT
Created httpd tracking bugs for this issue

Affects: fedora-all [bug 851144]
Comment 7 Stefan Cornelius 2012-08-31 07:22:18 EDT
Statement:

(none)
Comment 12 Kurt Seifried 2012-09-07 13:38:52 EDT
RHEL 3 and 4 also appear to be affected, if you look at the code change for httpd 2.2:

http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/mappers/mod_negotiation.c?r1=1374421&r2=1374420&pathrev=1374421

If you grab the last httpd source rpms for RHEL 3/4 httpd: httpd-2.0.46-77.ent.src.rpm and httpd-2.0.52-49.ent.src.rpm

the code is virtually identical to that in 2.2 so chances are they are also affected as well.

The following information provides potential workaround(s) for this issue, please note that these workarounds have not been extensively tested by Red Hat and may impact system performance and availability. 

1) disable the mod_negotiation module

edit /etc/httpd/conf/httpd.conf and comment out the line:

LoadModule negotiation_module modules/mod_negotiation.so

Please note that this will of course impact any negotiated content/use thereof. 

2) Either remove "MultiViews" from the "Options" lines in Directory specifications in httpd.conf if it has been added (by default MultiViews are not enabled). 

Alternatively to make sure it is disabled change:

<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>

to:

<Directory />
Options FollowSymLinks -MultiViews
AllowOverride None
</Directory>

the "-MultiViews" explicitly disables it.

Disabling MultiViews is probably the least impactful and easiest to implement and track of the workarounds.
Comment 13 Stefan Cornelius 2012-09-12 06:25:51 EDT
This issue does not affect default or common configurations.

Following conditions must be met for the configuration to be vulnerable:

* the mod_negotiation module has to be enabled and used
* attackers can upload or create arbitrarily named files in a directory on the server
* the directory attackers can upload file to/create files in has to have the mod_negotiation "MultiViews" option enabled

Note that any uploads form untrusted users should be carefully sanitized. If users can upload e.g. HTML files, they can perform XSS attacks regardless of this mod_negotiation bug.

Following mitigations can be considered for vulnerable configurations:

* restrict characters that can be used in the uploaded file names
* disable mod_negotiation module, or disable MultiViews option for any directories that contain uploaded content
Comment 14 Jan Lieskovsky 2012-09-19 12:25:34 EDT
From the upstream httpd 2.2 security page:
  http://httpd.apache.org/security/vulnerabilities_22.html

Note: This issue is also known as CVE-2008-0455.
Comment 15 Gary Anderson 2012-11-07 11:42:20 EST
According to the upstream httpd 2.2 security page, a fix was released in httpd 2.2.23 on 13 September 2012.  Is Red Hat currently backporting this for RHEL5 and other httpd 2.2.x releases?
Comment 16 Tomas Hoger 2012-11-07 15:38:51 EST
Yes.  The fix should appear in httpd errata in the next minor releases of both Red Hat Enterprise Linux 5 and 6.  Possibly earlier if a security erratum is needed for httpd.  This is rated as having low security impact (see comments above), hence there's no plan to issue update only correcting this issue.
Comment 17 Tomas Hoger 2012-11-22 09:35:10 EST
(In reply to comment #14)
> From the upstream httpd 2.2 security page:
>   http://httpd.apache.org/security/vulnerabilities_22.html
> 
> Note: This issue is also known as CVE-2008-0455.

This is because the issue was previously reported as a security issue via:

http://www.mindedsecurity.com/MSA01150108.html

That report identified two possible consequences of allowing arbitrarily named files in a directory with MultiViews enabled:
- cross-site scripting - CVE-2008-0455
- HTTP response splitting - CVE-2008-0456

These issues were handled as low priority issues upstream, not really having a security impact (as if you allow uploading files with arbitrary names to a location that is served by httpd, you likely have other bigger problems).  As a consequence, only the second of the two problems got corrected properly at the time.  Few years later, XSS problem was re-discovered and got fixed under new CVE - CVE-2012-2687, which really is a duplicate of CVE-2008-0455.

References:
http://thread.gmane.org/gmane.comp.apache.devel/33207
https://issues.apache.org/bugzilla/show_bug.cgi?id=46837
http://svn.apache.org/viewvc?view=revision&revision=752812
Comment 18 errata-xmlrpc 2012-12-18 17:21:42 EST
This issue has been addressed in following products:

  JBEAP 6 for RHEL 5

Via RHSA-2012:1591 https://rhn.redhat.com/errata/RHSA-2012-1591.html
Comment 19 errata-xmlrpc 2012-12-18 17:33:34 EST
This issue has been addressed in following products:

  JBEAP 6 for RHEL 6

Via RHSA-2012:1592 https://rhn.redhat.com/errata/RHSA-2012-1592.html
Comment 20 errata-xmlrpc 2012-12-18 17:53:29 EST
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 6.0.1

Via RHSA-2012:1594 https://rhn.redhat.com/errata/RHSA-2012-1594.html
Comment 24 errata-xmlrpc 2013-01-08 00:04:36 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2013:0130 https://rhn.redhat.com/errata/RHSA-2013-0130.html
Comment 26 Fedora Update System 2013-02-11 23:59:08 EST
httpd-2.2.23-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 27 errata-xmlrpc 2013-02-21 05:17:48 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:0512 https://rhn.redhat.com/errata/RHSA-2013-0512.html

Note You need to log in before you can comment on or make changes to this bug.