Re: Apache Illegal Request Handling Possible XSS Vulnerability

["Michal Majchrowicz" <m.majchrowicz () gmail com>]

In this case I agree this is a solution. If Apache wouldn't accept any
'separators' then XSS (and other stuff) wouldn't be possible at all.
Is there anywhere described which chars can be used in protocol
"field"?
Regards Michal.

On 4/24/07, Richard Moore <rich () westpoint ltd uk> wrote:
> Michal Majchrowicz wrote:
> > Okay so let's assume that there cany "anything" as the request. But
> > there has to be something that handles this request? If there is no
> > "handler" for request "<script>" Apache should return error page. And
> > what about protocol version? You didn't answer this question.
> > Regards Michal.
>
> The handler here is your script - there's no way for apache to
> know what your script does. It is the responsibility of the script
> to raise an error in this case.
>
> To be precise the HTTP specification (RFC 2616) says a method is:
>
>      Method         = "OPTIONS"                ; Section 9.2
>                        | "GET"                    ; Section 9.3
>                        | "HEAD"                   ; Section 9.4
>                        | "POST"                   ; Section 9.5
>                        | "PUT"                    ; Section 9.6
>                        | "DELETE"                 ; Section 9.7
>                        | "TRACE"                  ; Section 9.8
>                        | "CONNECT"                ; Section 9.9
>                        | extension-method
>      extension-method = token
>
> Now, token is defined by these productions:
>
>   token          = 1*<any CHAR except CTLs or separators>
>
>   CHAR           = <any US-ASCII character (octets 0 - 127)>
>
>   separators     = "(" | ")" | "<" | ">" | "@"
>                        | "," | ";" | ":" | "\" | <">
>                        | "/" | "[" | "]" | "?" | "="
>                        | "{" | "}" | SP | HT
>
>   CTL            = <any US-ASCII control character
>                          (octets 0 - 31) and DEL (127)>
>
> So that implies that Apache is being slightly lax in passing arbitrary
> content. However, there is no fixed list of valid methods as you can
> define your own as an extension-method. This is used by a number of
> protocols. Apache should probably raise an error if the method
> contains characters outside these defined productions.
>
> Cheers
>
> Rich.
>
>
> > On 4/24/07, Richard Moore <rich () westpoint ltd uk> wrote:
> > > Michal Majchrowicz wrote:
> > > > Hi.
> > > > I think that server should have a list of valid requests. In fact
> > > > Apache warns you sometimes that valid requests are:
> > > > "GET/POST/TRACE/OPTIONS". The solution that it just accepts everything
> > > > as request and protocol makes no sense. What kind of protocol is
> > >
> > > It makes lots of sense as I said - protocols like WebDAV are
> > > layered on top of HTTP and are implemented in apache using the
> > > exact same API as PHP uses. They need to add methods like PROPFIND
> > > etc. Unless they are required to define the exact set of verbs
> > > supported by every page then there's no way to define a fixed
> > > list.
> > >
> > > I do however agree that it could be restricted to something like
> > > [A-Z0-9]+ as I said.
> > >
> > > Cheers
> > >
> > > Rich.
> > >
> > > > "<script>"?
> > > > Regards Michal.
> > > >
> > > > On 4/24/07, Richard Moore <rich () westpoint ltd uk> wrote:
> > > > > Michal Majchrowicz wrote:
> > > > > > Hi.
> > > > > > I think now we can classify this as flaw in Apache. It accepts
> > > > > > requests that simply make no sense. Take a look at this example:
> > > > > > <script>alert(document.cookie);</script> /test.php
> > > > > > <script>alert(document.cookie);</script>
> > > > > > In some circumstances it may cause XSS vulnerability:
> > > > > > <?php
> > > > > >         echo $_SERVER['REQUEST_METHOD'];
> > > > > >         echo $_SERVER['SERVER_PROTOCOL'];
> > > > > > ?>
> > > > >
> > > > > As Kradorex Xeron said, that's a flaw in the script. Apache needs
> > > > > to let arbitrary verbs through to the PHP (or other server extension)
> > > > > otherwise tools like webdav that require additional verbs could not
> > > > > be implemented. It is possibly arguable that it should restrict the
> > > > > verbs to a single alphanumeric string, but it certainly can't be
> > > > > counted on to be just GET/POST etc.
> > > > >
> > > > > Cheers
> > > > >
> > > > > Rich.
> > > > >
> > > > > > I am now investigating other possible attacks.
> > > > > > Regards Michal Majchrowicz.
> > > > > >
> > > > > > _______________________________________________
> > > > > > Full-Disclosure - We believe in it.
> > > > > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > > > > Hosted and sponsored by Secunia - http://secunia.com/
> > > > >
> > > > >
> > > > > --
> > > > > Richard Moore, Principal Software Engineer,
> > > > > Westpoint Ltd,
> > > > > Albion Wharf, 19 Albion Street, Manchester, M1 5LN, England
> > > > > Tel: +44 161 237 1028
> > > > > Fax: +44 161 237 1031
> > >
> > >
> > > --
> > > Richard Moore, Principal Software Engineer,
> > > Westpoint Ltd,
> > > Albion Wharf, 19 Albion Street, Manchester, M1 5LN, England
> > > Tel: +44 161 237 1028
> > > Fax: +44 161 237 1031
>
>
> --
> Richard Moore, Principal Software Engineer,
> Westpoint Ltd,
> Albion Wharf, 19 Albion Street, Manchester, M1 5LN, England
> Tel: +44 161 237 1028
> Fax: +44 161 237 1031

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/