Koozali.org: home of the SME Server

Obsolete Releases => SME Server 7.x => Topic started by: alt-network on December 10, 2012, 04:54:15 PM

Title: Apache HTTP Server httpOnly information disclosure - 2.2.22
Post by: alt-network on December 10, 2012, 04:54:15 PM

I need help updating the Apache on a SME 7.6 server to version to 2.2.22 to address the httpOnly vulnerability. Does anyone know what I need to do or where I can get the rpm's to do this.

http://www.iss.net/security_center/reference/vuln/HTTP_Apache_Error_Cookie_Disclosure.htm

I am unable to this time upgrade the server to 8.0.

Thanks

Title: Re: Apache HTTP Server httpOnly information disclosure - 2.2.22
Post by: piran on December 10, 2012, 06:41:12 PM

>>Does anyone know what I need to do...?
You could always try the obvious... and ensure
that a custom ErrorDocument for 400 *is* specified.

http://httpd.apache.org/security/vulnerabilities_22.html
A flaw was found in the default error response for status code 400.
This flaw could be used by an attacker to expose "httpOnly"
cookies when no custom ErrorDocument is specified."

It's only a single line in your httpd template fragment:

Code: [Select]

ErrorDocument 400 /errordoc400.php
[ iBay ] [ errordoc400.php ]

Code: [Select]

<?php
header("HTTP/1.1 400 BAD REQUEST");
header("X-Robots-Tag: NOINDEX,NOARCHIVE,NOFOLLOW,NOSNIPPET");
print "bad request";
?>

Title: Re: Apache HTTP Server httpOnly information disclosure - 2.2.22
Post by: alt-network on December 11, 2012, 06:10:03 PM

This did not work. I ran a scan from SecurityMetrics and still shows.

User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)\r Pragma: no-cache\r Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Which caused the Cookie header to be displayed in the default error page (the response shown below has been truncated) : <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>400 Bad Request</title> </head><body> <h1>Bad Request</h1> <p>Your browser sent a request that this server could not understand.<br /> Size of a request header field exceeds server limit.<br />

Any other ideas please....Thanks

Title: Re: Apache HTTP Server httpOnly information disclosure - 2.2.22
Post by: CharlieBrady on December 11, 2012, 06:42:13 PM

Quote from: alt-network on December 11, 2012, 06:10:03 PM

This did not work.

https://bugzilla.redhat.com/show_bug.cgi?id=785069#c32

Mitigation instructions:

As noted in the original reporter's advisory (see comment #5), this issue can be mitigated by using a custom ErrorDocument setting, such as:

  ErrorDocument 400 "Bad Request"

  http://httpd.apache.org/docs/2.2/mod/core.html#errordocument

It should be noted that ErrorDocument setting using path or external URL does not mitigate this issue.

Title: Re: Apache HTTP Server httpOnly information disclosure - 2.2.22
Post by: alt-network on December 11, 2012, 10:13:59 PM

That worked!!!!


Thanks