Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apache 2.0 Cross-site Scripting Vulnerability

Posted by michael on from the apt-get-upgrade dept.

jimmy writes ""A vulnerability exists in the SSI error pages of Apache 2.0 that involves incorrect filtering of server signature data. The vulnerability could enable an attacker to hijack web sessions, allowing a range of potential compromises on the targeted host." This Cross site scripting (or XSS) hole has been found in all versions of apache prior to 2.0.43. The advisory can be found here and users are urged to upgrade to address this problem."

15 comments

  1. Lets clarify... by Your_Mom · · Score: 5, Informative

    Its not /all/ versions of Apache, just All 2.0 versions prior to 2.0.43.
    For those of us still running the 1.3 branch, we're good.

    --
    Objects in the blog are closer then they ap
    1. Re:Lets clarify... by markcox · · Score: 1

      Okay so the reporter released early and therefore missed out on the full analysis.

      This is CAN-2002-0840

      Prevent a cross-site scripting vulnerability in the default error page. The issue could only be exploited if the directive UseCanonicalName is set to Off and a server is being run at a domain that allows wildcard DNS. (which are not that common)

      The default setting has been Off in 2.0 since 2.0.33; 1.3 has always had it On, so is not vulnerable by default, but is vulnerable if you set UseCanonicalName to Off.

      Affects Apache 2.0 all versions including 2.0.42 and 1.3 all versions up to 1.3.26

      Expect fixes shortly, but this isn't a very critical vulnerability.

      --
      -- Mark Cox, http://www.awe.com/mark/
    2. Re:Lets clarify... by lylonius · · Score: 3, Informative

      Actually, you are mistaken. Cross-site scripting (XSS) vulnerability in the default error page of Apache 2.0 before 2.0.43, and 1.3.x up to 1.3.26

      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN- 2002-0840

      Apache release notes here: http://www.apache.org/dist/httpd/Announcement.html

    3. Re:Lets clarify... by Anonymous Coward · · Score: 0


      Hey, it's not only the 2.0x branch that has a new version:
      Apache-1.3.27
      check it out!!!

  2. This is why I am holding off on upgrading to 2.0 by stefanlasiewski · · Score: 1

    This is why I am holding off on upgrading to 2.0.

    Not trying to insult the Apache folks. 2.0 looks to be a great product, and I'm experimenting with it at home. But 2.0 lacks sufficient maturity (in some areas) for me to use it on our production environment right now. I'll probably wait until 2.1.x .

    Yes, all software has bugs, even the mature Apache 1.3 branch. But 2.0 has potentially more bugs...

    --
    "Can of worms? The can is open... the worms are everywhere."
  3. Where's 2.0.43? by joostje · · Score: 1
    users are urged to upgrade to address this problem.


    But going to http://www.apache.org/dist/httpd/
    , I read:

    Apache 2.0.42 is the best available version.


    So, where's 2.0.43? Or is someone reporting this too early?

    1. Re:Where's 2.0.43? by roly · · Score: 0

      Use the 2.0.43 CVS SNAP

      --
      "With Microsoft, you get Windows. With Linux, you get the full house" - unknown
    2. Re:Where's 2.0.43? by rwinston · · Score: 1

      It seems that 2.0.43 hasnt been released yet - however if you are building from source, tah patch to fix this issue is in the patches/ directory. I assume they just havent built the release binaries yet

      --
      "If we cannot be free, then at least we can be cheap" -- Frank Zappa
  4. Re:This is why I am holding off on upgrading to 2. by rplacd · · Score: 0

    I'm curious -- what type of maturity problems are holding you back? Is it the lack of ported third-party modules?

    I'm using it at work for either serving static + cgi content, or for svn.

  5. You get what you pay for by Anonymous Coward · · Score: 0

    Apache doesn't care about your web site.

    Maybe you should use a web server written by professionals instead.

    Welcome to the future!

  6. Re:This is why I am holding off on upgrading to 2. by stefanlasiewski · · Score: 5, Insightful

    (At home, I'm also using it to test svn . svn has alot of potential.)

    It's partially the modules (We use ATG Dynamo, and they have not yet updated their connection module to work with 2.0).

    It also has alot to do with my belief that the numbering system is a representation of maturity, and mature products have better performance, stability then the younger branches. Recent releases have more bugs then mature releases.

    Our production system needs to be rock solid, we don't want to use these systems to test some newfangled Apache feature. Our Apache 1.3.26 servers never, ever crash.

    It's my belief that the Apache 2.0 branch will have more bugs and performance issues then the 1.3.x branch. I don't have alot of hard data to support this belief,

    Apache 1.3.26 is way more stable then Apache 1.0.

    Remember how unstable Gnome 1.0 or linux-kernel 2.0 was? Over time, the bugs present in 1.0 or kernel 2.0 have been resolved, and as a result, we have Gnome 1.4 and kernel 2.4, two very good products.

    For instance, look at Gnome 1.0 vs Gnome 1.2+ ; or linux-kernel 2.0 vs 2.4.

    Likewise, Apache 2.1.0 will be faster, more stable and will have more useful features then the 2.0 branch.

    As a side effect of the new features, 2.1.0 will introduce some bugs which were not present in the 2.0.43 series. Most of those bugs will be resolved once the developers, users and bug stompers have had sufficient time to find and patch bugs, around 2.1.5 or so.

    --
    "Can of worms? The can is open... the worms are everywhere."
  7. Dot zero is NOT for everyone!! by aphor · · Score: 5, Insightful

    I don't understand why people are whining about Apache 2.0 being shunned by the masses. Running a DOT ZERO version means LOTS OF PATCHES. If you can't easily recompile and move on (like your site depends on changing interfaces/features/bugs) then dot zero is not for you.

    This isn't a chink in Apache's gleaming armor. Its free software. The process is just plain old programming and software evolution. Dot zero is for people of the bleeding edge. Not all websites qualify. The Apache way is a superior way to the IIS way. Other ways may be just dandy also. Problems with Apache 2.0 are no indication on that issue as long as they are.

    --
    --- Nothing clever here: move along now...
  8. more bugs in apache 2.0 than 1.3 by alonsoac · · Score: 1

    Is it me or it seems that apache 2.0 gets more bad press than the older version?. Maybe that's why almost no one is switching, 2.0 seems to be not so stable yet while 1.3 looks solid enough.

  9. Re:This is why I am holding off on upgrading to 2. by artg · · Score: 1

    This week's excitement foor PC users, the bugbear worm, is noted to sometimes search for copies of Apache 1.3.26 and attempt to report any it finds via email, presumably with the intention of attacking it.

    http://www.sophos.com/virusinfo/analyses/w32bugb ea ra.html

  10. Re:This is why I am holding off on upgrading to 2. by stefanlasiewski · · Score: 2

    From the analysis:

    "The worm may also attempt to determine the presence of an Apache 1.3.26 web server and relay this information to an external email address."

    I would be very concerned if I had any worms on my system. However, a worm that reports presence of an Apache 1.3.26 web server does not make that worm more of a problem.

    Why not?

    My webserver and webserver version are public information. That information is available to any person who uses a webbrowser, or any person who uses a spidering tool like 'wget'. Simply use the tool on a zillion sites, parse the host string, and you have a list of webservers that use Apache 1.3.26 .

    As an added security step, I suppose I could change the host string to return something more obscure, like "Apache" instead of "Apache 1.3.26", but I'm not a big believer in security through obscurity...

    --
    "Can of worms? The can is open... the worms are everywhere."