https://issues.apache.org/bugzilla/show_bug.cgi?id=46837
Summary: CVE-2008-0456 Apache 'mod_negotiation' HTML Injection
and HTTP Response Splitting Vulnerability
Product: Apache httpd-2
Version: 2.2.9
Platform: All
URL: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-20
08-0456
OS/Version: All
Status: NEW
Keywords: RFC
Severity: normal
Priority: P2
Component: mod_negotiation
AssignedTo: [email protected]
ReportedBy: [email protected]
Created an attachment (id=23371)
--> (https://issues.apache.org/bugzilla/attachment.cgi?id=23371)
fix, applies to 2.2.9
When mod_negotiation returns a 406 response when serving a file whose name
includes whitespace or other special characters, those characters are not
escaped in the Alternates: header.
Similarly, the Content-Location: header is not escaped.
As a result, content negotiation will probably not work with such files. There
is also a security impact: a user who can control the name of files on a web
server could inject responses that appear to come from other web sites served
by the same system.
On Mac OS X, this may be reproduced by
touch ~/Sites/'junk
Header: Injected
blah:.jpg'
and then requesting
http://localhost/~$USER/junk%0aHeader:%20Injected%0ablah:
The CVE description claims the bug is present in 2.2.6 and earlier. I have
confirmed it in 2.2.9. Possibly all Apache versions that support content
negotiation are affected.
A patch is attached.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
