Summary: A flaw in the imagemap processing module, mod_imap, in versions of Apache httpd 1.3, 2.0 and 2.2 can in some circumstances cause the referer header to be output without being escaped in HTML. This could allow an attacker who is able to influence the referer header the ability to do cross-site scripting attacks against sites using mod_imap in a vulnerable configuration. Impact: moderate (http://httpd.apache.org/security/impact_levels.html) Mitigation: This flaw only affects sites using mod_imap with a map file that contains the "referer" directive. In order to exploit this flaw the attacker would need to control the referer header and therefore would need to entice a victim to visit a URL under the attackers control. A sucessful cross-site scripting attack using this flaw would be limited to certain browsers. Firefox and Mozilla browsers for example already escape suspect characters in a URL which blocks this from being exploited. Solution: The attached patch ensures that the referer header in mod_imap is escaped and therefore cannot be used as part of a cross-site scripting attack. Where this patch cannot be used, a temporary solution is to remove the "referer" directive from any map files. Verification: I was able to verify this by constructing a victim site with a vulnerable mod_imap configuration and by constructing a set of scripts on the attacker site. When the attackers site was visited using the Internet Explorer browser it was able to steal the users private cookies from the victim site. Timeline: 20051101 CERT notification of flaw to security@apache.org 20051102 ASF verification of flaw 20051103 Assigned CVE-2005-3352 with proposed patches 20051104 Contacted CERT asking for co-ordinated release and reporter info 20051114 No response from CERT, contacted them again suggesting 20051118 20051114 CERT said they would contact reporter 20051212 No further response from CERT or reporter, made public
Created attachment 17199 [details] Patch for apache-1.3 tree (ack fielding, jorton)
Created attachment 17200 [details] Patch for apache-2.0 tree (ack fielding, jorton)
VU#299838 JPCERT#94453446 JVN#06045169
The fixes for this were committed a while back: http://svn.apache.org/viewcvs?rev=357161&view=rev (trunk) http://svn.apache.org/viewcvs?rev=356291&view=rev (2.2.x) http://svn.apache.org/viewcvs?rev=356278&view=rev (1.3.x) http://svn.apache.org/viewcvs?rev=356279&view=rev (2.0.x)