CVE-2002-1157
CVSS7.5
发布时间 :2002-11-04 00:00:00
修订时间 :2008-09-05 16:29:56
NMCOS    

[原文]Cross-site scripting vulnerability in the mod_ssl Apache module 2.8.9 and earlier, when UseCanonicalName is off and wildcard DNS is enabled, allows remote attackers to execute script as other web site visitors, via the server name in an HTTPS response on the SSL port, which is used in a self-referencing URL, a different vulnerability than CAN-2002-0840.


[CNNVD]Mod_SSL Wildcard DNS跨站脚本执行漏洞(CNNVD-200211-004)

        
        Mod_SSL是Apache服务器上的SSL实现,用来为Apache Web服务器提供加密支持。
        Apache使用mod_ssl模块时会返回没有过滤的服务器名,远程攻击者可以利用这个漏洞构建恶意WEB页,诱使用户点击,进行跨站脚本执行攻击。
        当服务器使用"UseCanonicalName off"(默认情况下不是默认设置)和统配DNS结合的配置时,就可以导致这个跨站脚本执行攻击漏洞。如果这个设置为off的情况下,Apache就会使用Hostname:port应答HTTP请求,不过在返回的时候没有对hostname数据进行正确的过滤。如果这个设置为on的情况下,Apache就构建自引用URL和使用ServerName:port形式进行应答。
        攻击者可以通过构建包含主机名为任意HTML和脚本代码的链接,诱使目标用户点击链接,就可以导致攻击者提供的脚本代码在客户端浏览器上执行,可窃取基于Cookie认证的信息,也可能获得本地文件内容。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1157
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1157
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200211-004
(官方数据源) CNNVD

- 其它链接及资源

http://www.debian.org/security/2002/dsa-181
(VENDOR_ADVISORY)  DEBIAN  DSA-181
http://www.iss.net/security_center/static/10457.php
(VENDOR_ADVISORY)  XF  apache-modssl-host-xss(10457)
http://www.securityfocus.com/bid/6029
(UNKNOWN)  BID  6029
http://www.redhat.com/support/errata/RHSA-2003-106.html
(UNKNOWN)  REDHAT  RHSA-2003:106
http://www.redhat.com/support/errata/RHSA-2002-251.html
(UNKNOWN)  REDHAT  RHSA-2002:251
http://www.redhat.com/support/errata/RHSA-2002-248.html
(UNKNOWN)  REDHAT  RHSA-2002:248
http://www.redhat.com/support/errata/RHSA-2002-244.html
(UNKNOWN)  REDHAT  RHSA-2002:244
http://www.redhat.com/support/errata/RHSA-2002-243.html
(UNKNOWN)  REDHAT  RHSA-2002:243
http://www.redhat.com/support/errata/RHSA-2002-222.html
(UNKNOWN)  REDHAT  RHSA-2002:222
http://www.osvdb.org/2107
(UNKNOWN)  OSVDB  2107
http://www.linuxsecurity.com/advisories/other_advisory-2512.html
(UNKNOWN)  ENGARDE  ESA-20021029-027
http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-072.php
(UNKNOWN)  MANDRAKE  MDKSA-2002:072
http://online.securityfocus.com/archive/1/296753
(UNKNOWN)  BUGTRAQ  20021023 [OpenPKG-SA-2002.010] OpenPKG Security Advisory (apache)
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000541
(UNKNOWN)  CONECTIVA  CLA-2002:541
http://archives.neohapsis.com/archives/bugtraq/2002-10/0374.html
(UNKNOWN)  BUGTRAQ  20021026 GLSA: mod_ssl

- 漏洞信息

Mod_SSL Wildcard DNS跨站脚本执行漏洞
高危 输入验证
2002-11-04 00:00:00 2005-05-13 00:00:00
远程  
        
        Mod_SSL是Apache服务器上的SSL实现,用来为Apache Web服务器提供加密支持。
        Apache使用mod_ssl模块时会返回没有过滤的服务器名,远程攻击者可以利用这个漏洞构建恶意WEB页,诱使用户点击,进行跨站脚本执行攻击。
        当服务器使用"UseCanonicalName off"(默认情况下不是默认设置)和统配DNS结合的配置时,就可以导致这个跨站脚本执行攻击漏洞。如果这个设置为off的情况下,Apache就会使用Hostname:port应答HTTP请求,不过在返回的时候没有对hostname数据进行正确的过滤。如果这个设置为on的情况下,Apache就构建自引用URL和使用ServerName:port形式进行应答。
        攻击者可以通过构建包含主机名为任意HTML和脚本代码的链接,诱使目标用户点击链接,就可以导致攻击者提供的脚本代码在客户端浏览器上执行,可窃取基于Cookie认证的信息,也可能获得本地文件内容。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 暂时关闭浏览器的javascript功能。
        厂商补丁:
        Debian
        ------
        Debian已经为此发布了一个安全公告(DSA-181-1)以及相应补丁:
        DSA-181-1:New mod_ssl packages fix cross site scripting
        链接:
        http://www.debian.org/security/2002/dsa-181

        补丁下载:
        Source archives:
        
        http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.4.10-1.3.9-1potato4.dsc

        Size/MD5 checksum: 705 db7c60ce194c218b07b79968585a3065
        
        http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.4.10-1.3.9-1potato4.diff.gz

        Size/MD5 checksum: 20194 4c9fd112ca2a50ccbb21f76917012b88
        
        http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.4.10-1.3.9.orig.tar.gz

        Size/MD5 checksum: 695247 cb0f2e07065438396f0d5df403dd2c16
        Architecture independent components:
        
        http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl-doc_2.4.10-1.3.9-1potato4_all.deb

        Size/MD5 checksum: 278090 12bc6e09fb5ec76f4b37ed5c295470eb
        Alpha architecture:
        
        http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.4.10-1.3.9-1potato4_alpha.deb

        Size/MD5 checksum: 211734 c4d690aed7c335ceeb204dd913e36a39
        ARM architecture:
        
        http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.4.10-1.3.9-1potato4_arm.deb

        Size/MD5 checksum: 203106 5847b3d90d092dfa6e806a6d9ee8fe90
        Intel IA-32 architecture:
        
        http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.4.10-1.3.9-1potato4_i386.deb

        Size/MD5 checksum: 199266 6c89113c7cf5d0e82c436fe967c7b2f3
        Motorola 680x0 architecture:
        
        http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.4.10-1.3.9-1potato4_m68k.deb

        Size/MD5 checksum: 203612 0631d1e03e921c5a10ff2f4f6e0093f8
        PowerPC architecture:
        
        http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.4.10-1.3.9-1potato4_powerpc.deb

        Size/MD5 checksum: 201282 98666b5d76aa20e5a5e1b5ee331a9b71
        Sun Sparc architecture:
        
        http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.4.10-1.3.9-1potato4_sparc.deb

        Size/MD5 checksum: 202150 9f9df58c9cf85683d65ddd92f2c8551e
        Debian GNU/Linux 3.0 alias woody
        --------------------------------
        Source archives:
        
        http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.9-2.1.dsc

        Size/MD5 checksum: 678 8326399384a276295ed312f3314f8b2a
        
        http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.9-2.1.diff.gz

        Size/MD5 checksum: 21672 3c6e87aad1113d19c04e2824e7fc6345
        
        http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.9.orig.tar.gz

        Size/MD5 checksum: 752613 aad438a4eaeeee29ae74483f7afe9db0
        Architecture independent components:
        
        http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl-doc_2.8.9-2.1_all.deb

        Size/MD5 checksum: 287898 7c5f6a20d23ec97bd7d0f8ec5bd14172
        Alpha architecture:
        
        http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.9-2.1_alpha.deb

        Size/MD5 checksum: 247800 0e6312d4ce0a5acd4f0291aff658f8ee
        ARM architecture:
        
        http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.9-2.1_arm.deb

        Size/MD5 checksum: 240094 9bf9083652950cc47033d4774de9737f
        Intel IA-32 architecture:
        
        http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.9-2.1_i386.deb

        Size/MD5 checksum: 238156 9756a3701103f8779c65455c968898c3
        Intel IA-64 architecture:
        
        http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.9-2.1_ia64.deb

        Size/MD5 checksum: 268682 b00a8b74ecda50dea58ab8ab199f8f33
        HP Precision architecture:
        
        http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.9-2.1_hppa.deb

        Size/MD5 checksum: 248092 102048ee2fa63c33d8076fc3a44b8305
        Motorola 680x0 architecture:
        
        http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.9-2.1_m68k.deb

        Size/MD5 checksum: 240990 4a8853fadd213fca4057dee5897f3225
        Big endian MIPS architecture:
        
        http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.9-2.1_mips.deb

        Size/MD5 checksum: 236080 53a779235110dff18ecaf8806ac8b3f8
        Little endian MIPS architecture:
        
        http://security.debian.org/pool/updates/main/liba/libapache-mod-ssl/libapache-mod-ssl_2.8.9-2.1_mipsel.deb

        Size/MD5 checksum: 236018 3e1ed4ecc89de7cd2acdf21138ddf8ed
        PowerPC architecture:
        

- 漏洞信息

2107
Apache HTTP Server mod_ssl Host: Header XSS
Remote / Network Access Input Manipulation
Loss of Confidentiality, Loss of Integrity Upgrade
Exploit Public Vendor Verified

- 漏洞描述

Apache mod_ssl contains a flaw that allows a remote Cross Site Scripting attack. This flaw exists because the application does not validate server signature data upon submission to the SSI error page. This could allow a user to send a specially crafted request that would execute the embedded script within the security context of the hosting site.

- 时间线

2002-10-22 2002-10-22
2002-10-22 Unknow

- 解决方案

Upgrade to version 2.8.10 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Mod_SSL Wildcard DNS Cross Site Scripting Vulnerability
Input Validation Error 6029
Yes No
2002-10-22 12:00:00 2009-07-11 06:06:00
Discovery credited to Joe Orton.

- 受影响的程序版本

Sun Cobalt RaQ XTR
Sun Cobalt RaQ 550
Sun Cobalt RaQ 4
Sun Cobalt Qube 3
OpenPKG OpenPKG 1.1
OpenPKG OpenPKG 1.0
OpenPKG OpenPKG Current
mod_ssl mod_ssl 2.8.9
- Apache Software Foundation Apache 1.3.26
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
+ Debian Linux 2.2 sparc
+ Debian Linux 2.2 powerpc
+ Debian Linux 2.2 IA-32
+ Debian Linux 2.2 arm
+ Debian Linux 2.2 alpha
+ Debian Linux 2.2 68k
+ Debian Linux 2.2
+ HP Secure OS software for Linux 1.0
+ Slackware Linux 8.1
mod_ssl mod_ssl 2.4 .10
+ Apache Software Foundation Apache 1.3.9
+ Debian Linux 2.2 sparc
+ Debian Linux 2.2 powerpc
+ Debian Linux 2.2 IA-32
+ Debian Linux 2.2 arm
+ Debian Linux 2.2 alpha
+ Debian Linux 2.2 68k
+ Debian Linux 2.2
Mandriva Linux Mandrake 9.0
Mandriva Linux Mandrake 8.2 ppc
Mandriva Linux Mandrake 8.2
Mandriva Linux Mandrake 8.1 ia64
Mandriva Linux Mandrake 8.1
Mandriva Linux Mandrake 8.0 ppc
Mandriva Linux Mandrake 8.0
Mandriva Linux Mandrake 7.2
MandrakeSoft Single Network Firewall 7.2
EnGarde Secure Linux 1.0.1
Conectiva Linux 8.0
Conectiva Linux 7.0
Conectiva Linux 6.0
Apache Software Foundation Apache 2.0.40
+ RedHat Linux 9.0 i386
+ RedHat Linux 8.0
+ Terra Soft Solutions Yellow Dog Linux 3.0
Apache Software Foundation Apache 1.3.23
- IBM AIX 4.3
+ Mandriva Linux Mandrake 8.2 ppc
+ Mandriva Linux Mandrake 8.2
+ RedHat Linux 7.3 i386
+ RedHat Linux 7.3
+ S.u.S.E. Linux 8.0 i386
+ S.u.S.E. Linux 8.0
+ Trustix Secure Linux 1.5
+ Trustix Secure Linux 1.2
+ Trustix Secure Linux 1.1
Apache Software Foundation Apache 1.3.22
+ Caldera OpenLinux Server 3.1.1
+ Caldera OpenLinux Server 3.1
+ Caldera OpenLinux Workstation 3.1.1
+ Caldera OpenLinux Workstation 3.1
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
+ Conectiva Linux 6.0
+ MandrakeSoft Corporate Server 1.0.1
+ Mandriva Linux Mandrake 8.1 ia64
+ Mandriva Linux Mandrake 8.1
+ Mandriva Linux Mandrake 8.0 ppc
+ Mandriva Linux Mandrake 8.0
+ Mandriva Linux Mandrake 7.2
+ OpenPKG OpenPKG 1.0
+ RedHat Linux 7.2 ia64
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.1 ia64
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1 alpha
+ RedHat Linux 7.0 i386
+ RedHat Linux 7.0 alpha
+ RedHat Linux 6.2 sparc
+ RedHat Linux 6.2 i386
+ RedHat Linux 6.2 alpha

- 漏洞讨论

A vulnerability has been discovered in the mod_ssl module, for Apache.

It should be noted that the existance of this vulnerability is limited to configurations with both the 'UseCanonicalName' option turned off and wildcard DNS enabled.

It has been reported that Apache v1.x, when using the mod_ssl module will return an unescaped server name in response to HTTP requests on SSL ports.

If all of these circumstances are met, an attacker may be able to exploit this issue via a malicious link containing arbitrary HTML and script code as part of the hostname. When the malicious link is clicked by an unsuspecting user, the attacker-supplied HTML and script code will be executed by their web client. This will occur because the server will echo back the malicious hostname supplied in the client's request, without sufficiently escaping HTML and script code.

Attacks of this nature may make it possible for attackers to manipulate web content or to steal cookie-based authentication credentials. It may be possible to take arbitrary actions as the victim user.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 解决方案

Debian has released an advisory containing fixes.

Conectiva Linux has released a security advisory containing fixes. Further information can be obtained from the referenced advisory.

RedHat has released a security advisory (RHSA-2002:222-21) which contains fixes that address this issue. Further details can be obtained from the referenced advisory.

Fixes:


OpenPKG OpenPKG Current

Sun Cobalt RaQ 550

Sun Cobalt Qube 3

Sun Cobalt RaQ 4

Sun Cobalt RaQ XTR

OpenPKG OpenPKG 1.0

EnGarde Secure Linux 1.0.1

OpenPKG OpenPKG 1.1

Apache Software Foundation Apache 1.3.22

Apache Software Foundation Apache 1.3.23

Apache Software Foundation Apache 2.0.40

Conectiva Linux 6.0

Conectiva Linux 7.0

MandrakeSoft Single Network Firewall 7.2

Mandriva Linux Mandrake 7.2

Conectiva Linux 8.0

Mandriva Linux Mandrake 8.0 ppc

Mandriva Linux Mandrake 8.0

Mandriva Linux Mandrake 8.1 ia64

Mandriva Linux Mandrake 8.1

Mandriva Linux Mandrake 8.2 ppc

Mandriva Linux Mandrake 8.2

Mandriva Linux Mandrake 9.0

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站