Re: Pre-release test tarballs of httpd 1.3.40, 2.0.62 and 2.2.7 available

[Ruediger Pluem]

On 01/06/2008 07:13 PM, Sander Temme wrote:
> 
> On Jan 4, 2008, at 12:00 PM, Jim Jagielski wrote:
> 
>> The latest versions of all 3 variants of Apache HTTP Server (1.3.40,
>> 2.0.62 and 2.2.7) have been tagged.
> 
> 
> While it seems to me that we're looking at a re-roll with several
> patches, please find my test results from the past couple of days. 
> Perhaps this experience finally motivates me to script this exercise
> since it gets extremely tedious and repetitive, and hence error prone.
> 
> Compiled with a bunch of modules (see config.nice and config.status at
> the end) as well as php-5.2.5.
> 
> Mac OS X 10.5 (Leopard) on PowerPC:
> 
> [-1] 1.3.40 (CVE-2007-6388 not fixed)

There is a patch available from Mark J Cox for 1.3 which I attach.

Regards

Rüdiger


Index: src/CHANGES
===================================================================
--- src/CHANGES (revision 606689)
+++ src/CHANGES (working copy)
@@ -1,5 +1,10 @@
 Changes with Apache 1.3.40
 
+  *) SECURITY: CVE-2007-6388 (cve.mitre.org)
+     mod_status: Ensure refresh parameter is numeric to prevent
+     a possible XSS attack caused by redirecting to other URLs.
+     Reported by SecurityReason.  [Mark Cox]
+
   *) SECURITY: CVE-2007-5000 (cve.mitre.org)
      mod_imap: Fix cross-site scripting issue.  Reported by JPCERT.
      [Joe Orton]
Index: src/modules/standard/mod_status.c
===================================================================
--- src/modules/standard/mod_status.c	(revision 604646)
+++ src/modules/standard/mod_status.c	(working copy)
@@ -232,17 +232,15 @@
 	while (status_options[i].id != STAT_OPT_END) {
 	    if ((loc = strstr(r->args, status_options[i].form_data_str)) != NULL) {
 		switch (status_options[i].id) {
-		case STAT_OPT_REFRESH:
-		    if (*(loc + strlen(status_options[i].form_data_str)) == '='
-                        && atol(loc + strlen(status_options[i].form_data_str) 
-                                    + 1) > 0)
-			ap_table_set(r->headers_out,
-			      status_options[i].hdr_out_str,
-			      loc + strlen(status_options[i].hdr_out_str) + 1);
-		    else
-			ap_table_set(r->headers_out,
-			      status_options[i].hdr_out_str, "1");
-		    break;
+                case STAT_OPT_REFRESH: {
+                    long refreshtime = 0;
+                    if (*(loc + strlen(status_options[i].form_data_str)) == '=')
+                        refreshtime = atol(loc + strlen(status_options[i].form_data_str)+1);
+                    ap_table_set(r->headers_out,
+                                 status_options[i].hdr_out_str,
+                                 ap_psprintf(r->pool,"%ld",(refreshtime<1)?1:refreshtime));
+                    break;
+                }
 		case STAT_OPT_NOTABLE:
 		    no_table_report = 1;
 		    break;