admin
06-09-2003, 11:41 PM
You need to install Active Perl in order to use it under Windows Box
==============================================
The details of each exploit vector are as follows:
* mod_*****
mod_***** outputs a simple message when a connection has failed that includes the host name of the intended destination. It accomplishes this via the vulnerable apr_psprintf() function. This leads to a crash if the Host header is extremely long.
* mod_dav
Certain methods of accessing a DAV repository may enable attacker-supplied input to be passed as a parameter to apr_psprintf() as part of an "Invalid namespace" error. This results in the crash of the child handling the request.
* Others
NOTE: mod_dav is also impacted by this exploit, but the exploit vector above specifically targets it.
Many modules format the hostname of the server into buffers via the apr_psprintf() function. The hostname is under the attacker's control if "UseCanonicalName Off" is in place. Via a long [Only registered and activated users can see links] "Host" header, it becomes possible to cause these modules to crash.
*** NOTE: Some people have assumed that the Apache LimitRequestFieldSize directive would protect them from exploitation, so long as they did not have mod_dav installed. This is not correct, as the Apache HTTP Server may take:
GET / [Only registered and activated users can see links]
Host: a
Host: b
And internally convert it to:
GET / [Only registered and activated users can see links]
Host: a, b
The same is true for longer headers. Therefore, ten such headers of 2000 characters each bypasses the default LimitRequestFieldSize directive, but still exploits the vulnerability.
Workarounds:
* LimitXMLRequestBody 2000 in your configuration file for any servers with DAV enabled. These can be identified by the string "DAV/2" in their server signatures in most cases.
* The following pair of lines:
LimitRequestFields 15
LimitRequestFieldSize 800
Will temporarily block the mod_***** exploit.
* Such a rash workaround is not required for the other modules, where a simple:
UseCanonicalName On
Does the trick. It was recently pointed out to Matthew that there was an error in Matthew's previous post regarding this. It incorrectly stated that UseCanonicalName *Off* fixed the flaw. In reality, this *opens* one of the exploit vectors. However, Matthew believes it was clearly identified in the other parts of Matthew's post, and this has now been corrected.
==============================================
The details of each exploit vector are as follows:
* mod_*****
mod_***** outputs a simple message when a connection has failed that includes the host name of the intended destination. It accomplishes this via the vulnerable apr_psprintf() function. This leads to a crash if the Host header is extremely long.
* mod_dav
Certain methods of accessing a DAV repository may enable attacker-supplied input to be passed as a parameter to apr_psprintf() as part of an "Invalid namespace" error. This results in the crash of the child handling the request.
* Others
NOTE: mod_dav is also impacted by this exploit, but the exploit vector above specifically targets it.
Many modules format the hostname of the server into buffers via the apr_psprintf() function. The hostname is under the attacker's control if "UseCanonicalName Off" is in place. Via a long [Only registered and activated users can see links] "Host" header, it becomes possible to cause these modules to crash.
*** NOTE: Some people have assumed that the Apache LimitRequestFieldSize directive would protect them from exploitation, so long as they did not have mod_dav installed. This is not correct, as the Apache HTTP Server may take:
GET / [Only registered and activated users can see links]
Host: a
Host: b
And internally convert it to:
GET / [Only registered and activated users can see links]
Host: a, b
The same is true for longer headers. Therefore, ten such headers of 2000 characters each bypasses the default LimitRequestFieldSize directive, but still exploits the vulnerability.
Workarounds:
* LimitXMLRequestBody 2000 in your configuration file for any servers with DAV enabled. These can be identified by the string "DAV/2" in their server signatures in most cases.
* The following pair of lines:
LimitRequestFields 15
LimitRequestFieldSize 800
Will temporarily block the mod_***** exploit.
* Such a rash workaround is not required for the other modules, where a simple:
UseCanonicalName On
Does the trick. It was recently pointed out to Matthew that there was an error in Matthew's previous post regarding this. It incorrectly stated that UseCanonicalName *Off* fixed the flaw. In reality, this *opens* one of the exploit vectors. However, Matthew believes it was clearly identified in the other parts of Matthew's post, and this has now been corrected.