Re: [CentOS] Apache mod_perl cross site scripting vulnerability
On 2015-Aug-12 05:17, Ellen Shull wrote: > On Wed, Aug 12, 2015 at 3:39 AM, Proxy One wrote: > > Is there way to use curl for testing? I'm getting new line because of > > the single quote inside string and escaping it with back slash gives me > > bash: syntax error near unexpected token `<' > > You can use curl's -K option which lets you stick arguments in a file, > helpful for getting around shell quoting nightmares. For example make > a file named test-url-file which contains the line > url = http://www.mydomain.com/[bad stuff, don't want this message > tripping over some filter for containing a malicious-looking URL] > > then do curl -g -K test-url-file > > Note that just gets you around shell interpretation; curl does some of > its own as well. the -g switch I used there disables its > interpretation of {}[] as special globbing characters. If you put the > url in double quotes then not only do you have to escape any double > quotes in the string, it also starts interpreting backslash sequences > so you have to double all backslashes--so oddly it's best to just > leave quotes off. Thanks, it works! I was able to reproduce problem and was able to see how my changes affected response from the server. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache mod_perl cross site scripting vulnerability
On Wed, Aug 12, 2015 at 3:39 AM, Proxy One wrote: > Is there way to use curl for testing? I'm getting new line because of > the single quote inside string and escaping it with back slash gives me > bash: syntax error near unexpected token `<' You can use curl's -K option which lets you stick arguments in a file, helpful for getting around shell quoting nightmares. For example make a file named test-url-file which contains the line url = http://www.mydomain.com/[bad stuff, don't want this message tripping over some filter for containing a malicious-looking URL] then do curl -g -K test-url-file Note that just gets you around shell interpretation; curl does some of its own as well. the -g switch I used there disables its interpretation of {}[] as special globbing characters. If you put the url in double quotes then not only do you have to escape any double quotes in the string, it also starts interpreting backslash sequences so you have to double all backslashes--so oddly it's best to just leave quotes off. --ln ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache mod_perl cross site scripting vulnerability
On 2015-Aug-12 07:36, Eero Volotinen wrote: > How about something like: > > > > # disallow public access > Order Deny, Allow > Deny from all > Allow from 127.0.0.1 > > SetHandler perl-script > PerlResponseHandler Apache2::Status > > Thanks to this I noticed that I don't have mod_perl installed at all. So even this vulnerability is marked as CVE-2009-0796, it's related to my 404 page. Thanks! > 2015-08-11 14:46 GMT+03:00 Proxy One : > > > Hello, > > > > I've failed latest PCI scan because of CVE-2009-0796. Centos 6.7. The > > Red Hat Security Response Team has rated this issue as having moderate > > security impact and bug as wontfix. > > > > Explanation: The vulnerability affects non default configuration of > > Apache HTTP web server, i.e cases, when access to Apache::Status and > > Apache2::Status resources is explicitly allowed via > /perl-status> httpd.conf configuration directive. Its occurrence can be > > prevented by using the default configuration for the Apache HTTP web > > server (not exporting /perl-status). > > > > I haven't used but Trustwave still finds me > > vulnerable. > > > > Evidence: > > Request: GET /perl- > > status/APR::SockAddr::port/">alert('xss') HTTP/1.1 > > Accept: */* > > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) > > Host: www.mydomain.com > > Content-Type: text/html > > Content-Length: 0 > > Response: HTTP/1.1 404 Not Found > > Date: Mon, 07 Aug 2015 11:10:21 GMT > > Server: Apache/2.2.15 (CentOS) > > X-Powered-By: PHP/5.3.3 > > Set-Cookie: PHPSESSID=kj6bpud7htmbtgaqtcwhsqk7j1; path=/ > > > > Expires: Thu, 19 Nov 1981 08:52:00 GMT > > Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre- > > check=0 > > Pragma: no-cache > > Connection: close > > Transfer-Encoding: chunked > > Content-Type: text/html; charset=UTF-8 > > Body: contains '">alert('xss')' > > > > > > How can I get around this? > > ___ > > CentOS mailing list > > CentOS@centos.org > > http://lists.centos.org/mailman/listinfo/centos > > > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache mod_perl cross site scripting vulnerability
On 2015-Aug-11 19:57, Ellen Shull wrote: > On Tue, Aug 11, 2015 at 4:46 AM, Proxy One wrote: > > > I haven't used but Trustwave still finds me > > vulnerable. > > > [...] > > Response: HTTP/1.1 404 Not Found > > You clearly aren't serving perl-status; that's a red herring here. Indeed, I don't have mod_proxy installed. > [...] > > Body: contains '">alert('xss')' > > That's your problem; they're flagging you for an XSS "vulnerability". > I'm guessing you have a custom 404 page that naively echoes the entire > request URL as part of the page? You need to be using > htmlspecialchars() or HTML::Entities or whatever your > language/environment has to escape strings for safe inclusion in HTML > content. There is PHP generated 404 page. I'll check that with web developer. What's strange, I'm trying to reproduce this and I don't see that string. Trustwave support suggested I use Burp Suite and it's repeater tool. I find some windows machine, installed it and all I see inside body is "Unable to resolve the request "perl-status/APR::SockAddr::port". Is there way to use curl for testing? I'm getting new line because of the single quote inside string and escaping it with back slash gives me bash: syntax error near unexpected token `<' > There is of course more to it than that (sigh), try for starters: > https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet Very nice reading, thanks! ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache mod_perl cross site scripting vulnerability
How about something like: # disallow public access Order Deny, Allow Deny from all Allow from 127.0.0.1 SetHandler perl-script PerlResponseHandler Apache2::Status 2015-08-11 14:46 GMT+03:00 Proxy One : > Hello, > > I've failed latest PCI scan because of CVE-2009-0796. Centos 6.7. The > Red Hat Security Response Team has rated this issue as having moderate > security impact and bug as wontfix. > > Explanation: The vulnerability affects non default configuration of > Apache HTTP web server, i.e cases, when access to Apache::Status and > Apache2::Status resources is explicitly allowed via /perl-status> httpd.conf configuration directive. Its occurrence can be > prevented by using the default configuration for the Apache HTTP web > server (not exporting /perl-status). > > I haven't used but Trustwave still finds me > vulnerable. > > Evidence: > Request: GET /perl- > status/APR::SockAddr::port/">alert('xss') HTTP/1.1 > Accept: */* > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) > Host: www.mydomain.com > Content-Type: text/html > Content-Length: 0 > Response: HTTP/1.1 404 Not Found > Date: Mon, 07 Aug 2015 11:10:21 GMT > Server: Apache/2.2.15 (CentOS) > X-Powered-By: PHP/5.3.3 > Set-Cookie: PHPSESSID=kj6bpud7htmbtgaqtcwhsqk7j1; path=/ > > Expires: Thu, 19 Nov 1981 08:52:00 GMT > Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre- > check=0 > Pragma: no-cache > Connection: close > Transfer-Encoding: chunked > Content-Type: text/html; charset=UTF-8 > Body: contains '">alert('xss')' > > > How can I get around this? > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache mod_perl cross site scripting vulnerability
On Tue, Aug 11, 2015 at 4:46 AM, Proxy One wrote: > I haven't used but Trustwave still finds me > vulnerable. > [...] > Response: HTTP/1.1 404 Not Found You clearly aren't serving perl-status; that's a red herring here. [...] > Body: contains '">alert('xss')' That's your problem; they're flagging you for an XSS "vulnerability". I'm guessing you have a custom 404 page that naively echoes the entire request URL as part of the page? You need to be using htmlspecialchars() or HTML::Entities or whatever your language/environment has to escape strings for safe inclusion in HTML content. There is of course more to it than that (sigh), try for starters: https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet --ln ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Apache mod_perl cross site scripting vulnerability
Hello, I've failed latest PCI scan because of CVE-2009-0796. Centos 6.7. The Red Hat Security Response Team has rated this issue as having moderate security impact and bug as wontfix. Explanation: The vulnerability affects non default configuration of Apache HTTP web server, i.e cases, when access to Apache::Status and Apache2::Status resources is explicitly allowed via httpd.conf configuration directive. Its occurrence can be prevented by using the default configuration for the Apache HTTP web server (not exporting /perl-status). I haven't used but Trustwave still finds me vulnerable. Evidence: Request: GET /perl- status/APR::SockAddr::port/">alert('xss') HTTP/1.1 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Host: www.mydomain.com Content-Type: text/html Content-Length: 0 Response: HTTP/1.1 404 Not Found Date: Mon, 07 Aug 2015 11:10:21 GMT Server: Apache/2.2.15 (CentOS) X-Powered-By: PHP/5.3.3 Set-Cookie: PHPSESSID=kj6bpud7htmbtgaqtcwhsqk7j1; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre- check=0 Pragma: no-cache Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Body: contains '">alert('xss')' How can I get around this? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos