Apache mod_negotiation Cross-Site Scripting and HTTP Response Splitting Vulnerabilities


Description   Two vulnerabilities have been identified in the mod_negotiation of Apache. "406 Not Acceptable" and "300 Multiple Choices" HTTP responses sent back to the user are not sanitized enough, which allows:
- cross-site scripting attacks by inserting HTML and JavaScript code in the GET request
- HTTP response splitting attacks, by inserting "
" characters in the GET request, allowing arbitrary HTTP headers injection
Exploiting these vulnerabilities requires that the attacker could upload a file with a malicious name to the server.
Updated, 13/09/2012:
The cross-site scripting vulnerability (CVE-2008-0455) is identical to the CVE-2012-2687 vulnerability (See Lexsi bulletin 17488).
Updated : 31/08/2015
F5 has published the list of products impacted by these vulnerabilities:
- BIG-IP ASM
- BIG-IP GTM
- BIG-IP LTM
- BIG-IP Link Controller
- BIG-IP WebAccelerator.
- Enterprise Manager
     
Vulnerable Products   Vulnerable OS:
BIG-IP ASM (F5) - 10.1.0, 10.2.0, 10.2.1, 10.2.1 HF1, 10.2.1 HF2, ..., 11.4.1 HF6, 11.4.1 HF7, 11.4.1 HF8, 11.4.1 HF9, 11.4.1-HF5BIG-IP GTM (F5) - 10.1.0, 10.2.0, 10.2.1, 10.2.1 HF1, 10.2.1 HF2, ..., 11.4.1 HF5, 11.4.1 HF6, 11.4.1 HF7, 11.4.1 HF8, 11.4.1 HF9BIG-IP LTM (F5) - 10.1.0, 10.2.0, 10.2.1, 10.2.1 HF1, 10.2.1 HF2, ..., 11.4.1 HF5, 11.4.1 HF6, 11.4.1 HF7, 11.4.1 HF8, 11.4.1 HF9BIG-IP Link Controller (F5) - 10.1.0, 10.2.0, 10.2.1, 10.2.1 HF1, 10.2.1 HF2, ..., 11.4.1 HF5, 11.4.1 HF6, 11.4.1 HF7, 11.4.1 HF8, 11.4.1 HF9BIG-IP WebAccelerator module (F5) - 10.1.0, 10.2.0, 10.2.1, 10.2.1 HF1, 10.2.1 HF2, ..., 11.3.0 HF5, 11.3.0 HF6, 11.3.0 HF7, 11.3.0 HF8, 11.3.0 HF9CentOS (Red Hat) - 5, 6Enterprise Linux 5 (Red Hat) - Desktop Client, Desktop Workstation Client, ServerEnterprise Linux 6 (Red Hat) - Desktop, HPC Node, Server, WorkstationEnterprise Manager (F5) - 3.0.0, 3.1.0, 3.1.1, 3.1.1 HF1, 3.1.1 HF2, 3.1.1 HF3, 3.1.1 HF4Fedora (Red Hat) - 17LinuxLinux Server (Oracle) - 5, 6MacOS X (Apple) - 10.5, 10.5.1, 10.5.2, 10.5.3, 10.5.4, 10.5.5, 10.5.6MacOS X Server (Apple) - 10.5, 10.5.1, 10.5.2, 10.5.3, 10.5.4, 10.5.5, 10.5.6Vulnerable Software:
Apache (Apache Software Foundation) - 1.3, 1.3.1, 1.3.11, 1.3.11win32, 1.3.12, ..., 2.2.4, 2.2.5, 2.2.6, 2.4.1, 2.4.2
     
Solution   Fixed httpd packages for CentOS 6 are available (CVE-2008-0455).
     
CVE   CVE-2008-0456
CVE-2008-0455
     
References   - MSA01150108 : Apache mod_negotiation Xss and Http Response Splitting
http://www.mindedsecurity.com/MSA01150108.html
- Apple : About the security content of Security Update 2009-002
Mac OS X v10.5.7
http://support.apple.com/kb/HT3549
- Apache : Fixed in Apache httpd 2.4.3
http://httpd.apache.org/security/vulnerabilities_24.html#2.4.3
- RHSA-2012:1594 : JBoss Enterprise Application Platform 6.0.1 update
https://rhn.redhat.com/errata/RHSA-2012-1594.html
- RHSA-2013:0130 : httpd security
bug fix
and enhancement update
http://rhn.redhat.com/errata/RHSA-2013-0130.html
- ELSA-2013-0130 : Oracle Linux 5 httpd security
bug fix
and enhancement update
http://oss.oracle.com/pipermail/el-errata/2013-January/003201.html
- CESA-2013:0130 : Low CentOS 5 httpd Update
http://lists.centos.org/pipermail/centos-announce/2013-January/019175.html
- FEDORA-2013-1661 : Fedora 17 Update: httpd-2.2.23-1.fc17
http://lists.fedoraproject.org/pipermail/package-announce/2013-February/098616.html
- RHSA-2013:0512 : httpd security
bug fix
and enhancement update
http://rhn.redhat.com/errata/RHSA-2013-0512.html
ELSA-2013-0512 : Oracle Linux 6 httpd security
bug fix
and enhancement update
http://oss.oracle.com/pipermail/el-errata/2013-February/003287.html
- CESA-2013:0512 : Low CentOS 6 httpd Update
http://lists.centos.org/pipermail/centos-announce/2013-March/019341.html
- SOL17201
Apache HTTP server vulnerability CVE-2008-0455
https://support.f5.com/kb/en-us/solutions/public/17000/200/sol17201.html
SOL17189
Apache HTTP server vulnerability CVE-2008-0456
https://support.f5.com/kb/en-us/solutions/public/17000/100/sol17189.html
- SOL17201
Apache HTTP server vulnerability CVE-2008-0455
https://support.f5.com/kb/en-us/solutions/public/17000/200/sol17201.html
SOL17189
Apache HTTP server vulnerability CVE-2008-0456
https://support.f5.com/kb/en-us/solutions/public/17000/100/sol17189.html
     
Vulnerability Manager Detection   No
     
IPS Protection  
ASQ Engine alarm Available Since
XSS - Prevention - GET : suspicious 'iframe' tag found in URL
3.2.0
XSS - Prevention - GET : suspicious 'meta' tag found in URL
3.2.0
HTTP Request Smuggling : HTTP command found in header
3.2.0
XSS - Prevention - GET : suspicious tag with event found in URL
3.2.0
XSS - Prevention - GET : suspicious 'applet' tag found in URL
3.2.0
XSS - Phishing : suspicious 'div' tag found in URL
3.2.0
XSS - Prevention - GET : suspicious 'style' attribute found in URL
3.2.0
XSS - Prevention - GET : suspicious 'img' tag found in URL
3.2.0
XSS - Phishing : suspicious 'a' tag found in URL
3.2.0
XSS - Prevention - GET : cookie access attempt using script language found in URL
3.2.0
XSS - Prevention - GET : suspicious 'embed' tag found in URL
3.2.0
XSS - Prevention - GET : suspicious 'object' tag found in URL
3.2.0
XSS - Phishing : suspicious 'form' tag found in URL
3.2.0
HTTP Request Smuggling : Content-Length and Transfer-Encoding: chunked fields in header
3.2.0
XSS - Prevention - GET : javascript code found in URL
3.2.0
XSS - Prevention - GET : evasion attempt using tag characters encoding in URL
3.2.0
XSS - Prevention - GET : suspicious 'style' tag found in URL
3.2.0
HTTP Request Smuggling : suspicious syntax using HTTP keyword
3.2.0
XSS - Phishing : suspicious 'link' tag found in URL
3.2.0
XSS - Prevention - GET : 'script' tag found in URL
3.2.0
HTTP Request Smuggling : multiple Content-Length fields
3.2.0
XSS - Prevention - GET : 'location' javascript object found in URL
3.2.0
XSS - Prevention - GET : suspicious 'div' tag found in URL
3.2.0
SQL injection Prevention - GET : Evasion attempt with CAST and EXEC statements
5.0.0
     


 
 
 
 
 Risk level 
Low 

 Vulnerability First Public Report Date 
2008-01-22 

 Target Type 
Server 

 Possible exploit 
Remote