copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

AA-2008.0009 -- [UNIX/Linux] -- Multiple vulnerabilities in Apache Modules

Date: 15 January 2008
References: ESB-2008.0056  ESB-2008.0074  ESB-2008.0560  ESB-2008.1062  ESB-2009.1211  ESB-2009.1435  ASB-2010.0122  ESB-2010.0473  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
AA-2008.0009                  AUSCERT Advisory

                               [UNIX/Linux]
                Multiple vulnerabilities in Apache Modules
                              15 January 2008
- ---------------------------------------------------------------------------

        AusCERT Advisory Summary
        ------------------------

Product:              mod_status
                      mod_proxy_balancer
                      mod_proxy_ftp
Operating System:     UNIX variants (UNIX, Linux, OSX)
                      Windows
Impact:               Cross-site Scripting
                      Execute Arbitrary Code/Commands
Access:               Remote/Unauthenticated
CVE Names:            CVE-2007-6388 CVE-2007-6421 CVE-2007-6422
                      CVE-2008-0005
Member content until: Tuesday, February 12 2008

OVERVIEW:

       Multiple vulnerabilities have been reported in Apache Modules that
       if successfully exploited can result in cross-site scripting (XSS)
       attacks or a Denial of Service (DoS).


IMPACT:

       mod_status: "The Status module allows a server administrator to 
       find out how well their server is performing. A HTML page is 
       presented that gives the current server statistics in an easily 
       readable form. If required this page can be made to automatically 
       refresh (given a compatible browser). Another page gives a simple 
       machine-readable list of the current server state." [1] 

       The National Vulnerability Database [2], gives the following
       information regarding this vulnerability:

        o CVE-2007-6388: "Cross-site scripting (XSS) vulnerability in 
          mod_status in the Apache HTTP Server 2.2.0 through 2.2.6, 2.0.35 
          through 2.0.61, and 1.3.2 through 1.3.39, when the server-status 
          page is enabled, allows remote attackers to inject arbitrary web 
          script or HTML via unspecified vectors." [3] 

       mod_proxy_balancer: "This module requires the service of mod_proxy. 
       It provides load balancing support for HTTP, FTP and AJP13 protocols.
       Thus, in order to get the ability of load balancing, mod_proxy and 
       mod_proxy_balancer have to be present in the server." [4]  

       The National Vulnerability Database [2], gives the following
       information regarding these vulnerabilities:

        o CVE-2007-6421: "Cross-site scripting (XSS) vulnerability in 
          mod_proxy_balancer in the Apache HTTP Server 2.2.0 through 
          2.2.6 allows remote attackers to inject arbitrary web script or 
          HTML via unspecified vectors." [5]

        o CVE-2007-6422: "Unspecified vulnerability in mod_proxy_balancer 
          in the Apache HTTP Server 2.2.0 through 2.2.6, when a threaded 
          Multi-Processing Module is used, allows remote authenticated users 
          to cause a denial of service (child process crash) via a crafted 
          request." [6]

       mod_proxy_ftp: "This module requires the service of mod_proxy. It 
       provides support for the proxying FTP sites. Note that FTP support 
       is currently limited to the GET method. Thus, in order to get the 
       ability of handling FTP proxy requests, mod_proxy and mod_proxy_ftp 
       have to be present in the server." [7]

       The National Vulnerability Database [2], gives the following
       information regarding this vulnerability: 
  
       o CVE-2008-0005: "mod_proxy_ftp in Apache 2.2.x before 2.2.7-dev, 
         2.0.x before 2.0.62-dev, and 1.3.x before 1.3.40-dev does not 
         define a charset, which allows remote attackers to conduct 
         cross-site scripting (XSS) attacks using UTF-7 encoding." [8]


MITIGATION:

       All but the mod_proxy_ftp vulnerabilities are reported to be fixed
       in Apache 2.2.7-dev [9]. Version 2.2.8 however was tagged to be
       released on January 10 2008 [10]. AusCERT will publish an update
       once the release is made public. 

       Alternatively removing the module will remove the vulnerability at
       the cost of removing the functionality.


REFERENCES:

       [1] Apache Module mod_status
           http://httpd.apache.org/docs/2.2/mod/mod_status.html

       [2] National Vulnerability Database
           http://nvd.nist.gov/

       [3] National Vulnerability Database (CVE-2007-6388)
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6388

       [4] Apache Module mod_proxy_balance
           http://httpd.apache.org/docs/2.2/mod/mod_proxy_balancer.html

       [5] National Vulnerability Database (CVE-2007-6421)
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6421

       [6] National Vulnerability Database (CVE-2007-6422)
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6422

       [7] Apache Module mod_proxy_ftp
           http://httpd.apache.org/docs/2.2/mod/mod_proxy_ftp.html

       [8] National Vulnerability Database (CVE-2008-0005)
           http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0005

       [9] Apache httpd 2.2 vulnerabilities
           http://httpd.apache.org/security/vulnerabilities_22.html

      [10] APACHE 2.2 STATUS
           http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/STATUS

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBR4xQJyh9+71yA2DNAQLhmwP/SzWt4I2r4gROJsqPheYr1em7wzgRaFUf
0oE3dEtvHeBh0n5YKd8f/UyCqLKtCZ6ucvDvS96LywGiN20xLpfm9FT9BbKO/vYJ
IeHIDlUKXFljXH7+5t0rFqTDU1ocojlh8xWkKDN1nzyFTQ/5h6ZVhPud9d9URMxc
BFF10cld2wY=
=+bs/
-----END PGP SIGNATURE-----