Next Page >>
HTTP header
Security Advisory
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Advisory Name: Multiple Cisco CSS / ACE Client Certificate and HTTP Header
Manipulation Vulnerabilities
Release Date: 2010-07-02
Application: Cisco Content Services Switch (CSS) / ACE Products
Versions: Cisco CSS 11500 - 08.20.1.01
Cisco ACE 4710 - Version A3(2.5) [build 3.0(0)A3(2.5)
CVE identification code CVE-2009-0920 was assigned to the
unpatched/variant stack-based overflow related to CVE-2008-0067, and
CVE-2009-0921 was assigned for the two heap overflows. Bugtraq IDs
(BIDs) were assigned: 34134 for 'OvAcceptLang' parameter bug; and 34135
for the 'Accept-Language' HTTP header bug.
7.1. *Stack-based overflow (CVE-2009-0920)*
It is important to remark that the stack-based bug on parameter
cause a denial of service (crash) and possibly execute arbitrary code
via (1) the SSL dissector or (2) the iSeries (OS/400) Communication
trace file parser.
CVE-2008-0694 02/11/2008 Cross-site scripting (XSS) vulnerability in the
HTTP Server in IBM OS/400 V5R3M0 and V5R4M0 allows remote attackers to
inject arbitrary web script or HTML via the Expect HTTP header.
OSVDB Disclosed Title
5835 2000-09-12 AS/400 Firewall Malformed GET Request DoS
9787 1999-05-04 IBM Lotus Domino for AS/400 SMTP Component Long String
###############################################################################
5. HTTP Response Splitting Vulnerability in "controller.php"
###############################################################################
Reason: using unsanitized user submitted data for HTTP headers generation
Attack vector: user submitted POST parameter "redirect"
Preconditions:
1. PHP version must be < 4.4.2 for HTTP Response Splitting attacks to work
Title: at32 Reverse Proxy - Multiple HTTP Header Field Denial Of Service Vulnerability
Product : at32 Reverse Proxy
Version : v1.060.310
Vendor: http://www.at32.com/doc/rproxy.htm
Class: Boundary Condition Error
Title: Mercurycom MR804 Router - Multiple HTTP Header Fields Denial Of Service Vulnerability
Product : Mercurycom MR804 Router
Hardware Version : MR804 v8.0 081C3113
Software Version : 3.8.1 Build 101220 Rel.53006nB
Vendor: http://www.mercurycom.com.cn/
> # CVE: CVE-2012-2212
>
>
> I found a vulnerability in McAfee Web Gateway 7 that allows access to
> filtered sites.
> The appliance believes in the Host field of HTTP Header using CONNECT method.
> Example
>
> CONNECT 66.220.147.44:443 HTTP/1.1
> Host: www.facebook.com
>
# CVE: CVE-2012-2212
I found a vulnerability in McAfee Web Gateway 7 that allows access to
filtered sites.
The appliance believes in the Host field of HTTP Header using CONNECT method.
Example
CONNECT 66.220.147.44:443 HTTP/1.1
Host: www.facebook.com
===========
nnp discovered multiple vulnerabilities in the XML-RPC handler in the
file webserver.c. The ws_addarg() function contains a format string
vulnerability, as it does not properly sanitize username and password
data from the "Authorization: Basic" HTTP header line (CVE-2007-5825).
The ws_decodepassword() and ws_getheaders() functions do not correctly
handle empty Authorization header lines, or header lines without a ':'
character, leading to NULL pointer dereferences (CVE-2007-5824).
Impact
> > # Tested on: Squid Proxy 3.1.19
> > # CVE: CVE-2012-2213
> >
> >
> > I found a vulnerability in Squid Proxy that allows access to filtered sites.
> > The software believes in the Host field of HTTP Header using CONNECT method.
> > Example
> >
> > CONNECT 66.220.147.44:443 HTTP/1.1
> > Host: www.facebook.com
> >
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3906
Description:
Previous versions of the mono package contain an HTTP header
vulnerability which may allow attackers to insert cross-site
scripting or other malicious code into an HTTP response.
http://wiki.rpath.com/Advisories:rPSA-2008-0286
are insufficiently enforced.
CVE-2008-3656
Christian Neukirchen discovered that the WebRick module uses
inefficient algorithms for HTTP header splitting, resulting in
denial of service through resource exhaustion.
CVE-2008-3657
It was discovered that the dl module doesn't perform taintness
are insufficiently enforced.
CVE-2008-3656
Christian Neukirchen discovered that the WebRick module uses
inefficient algorithms for HTTP header splitting, resulting in
denial of service through resource exhaustion.
CVE-2008-3657
It was discovered that the dl module doesn't perform taintness
problems:
CVE-2007-5824
Insufficient validation and bounds checking of the Authorization:
HTTP header enables a heap buffer overflow, potentially enabling
the execution of arbitrary code.
CVE-2007-5825
Format string vulnerabilities in debug logging within the
Secunia Research has discovered some vulnerabilities in Streamripper,
which can be exploited by malicious people to compromise a user's
system.
1) A boundary error exists within http_parse_sc_header() in lib/http.c
when parsing an overly long HTTP header starting with "Zwitterion v".
2) A boundary error exists within http_get_pls() in lib/http.c when
parsing a specially crafted pls playlist containing an overly long
entry.
Problem type : local (remote)
Debian-specific: no
CVE Id(s) : CVE-2007-4337 CVE-2008-4829
Debian Bug : 506377
Multiple buffer overflows involving HTTP header and playlist parsing
have been discovered in streamripper (CVE-2007-4337, CVE-2008-4829).
For the stable distribution (etch), these problems have been fixed in
version 1.61.27-1+etch1.
> Gateway # Tested on: McAfee Web Gateway 7.0 # CVE: CVE-2012-2212
>
>
> I found a vulnerability in McAfee Web Gateway 7 that allows access to
> filtered sites.
> The appliance believes in the Host field of HTTP Header using CONNECT method.
> Example
>
> CONNECT 66.220.147.44:443 HTTP/1.1
> Host: www.facebook.com
>
- Check Point Firewall-1 PKI Web Service HTTP Header Remote Overflow
- Description
The Check Point Firewall-1 PKI Web Service, running by default on TCP
port 18264, is vulnerable to a remote overflow in the handling of very
long HTTP headers. This was discovered during a pen-test where the
client would not allow further analysis and would not provide the full
product/version info. Initial testing indicates the 'Authorization'
and 'Referer' headers were vulnerable.
CVE Id : CVE-2009-0751
It was discovered that yaws, a high performance HTTP 1.1 webserver, is
prone to a denial of service attack via a request with a large HTTP
header.
For the stable distribution (lenny), this problem has been fixed in
version 1.77-3+lenny1.
For the oldstable distribution (etch), this problem has been fixed in
79
...
125
126 if (charset == UNDEFINED_CHARSET)
127 {
128 /* the charset is not already defined by the http header */
129 str = strstr (text2, "charset=");
130 if (str)
131 {
132 pos = str - text2 + 8;
133 while (text2[pos] != SPACE &&
> # Tested on: Squid Proxy 3.1.19
> # CVE: CVE-2012-2213
>
>
> I found a vulnerability in Squid Proxy that allows access to filtered sites.
> The software believes in the Host field of HTTP Header using CONNECT method.
> Example
>
> CONNECT 66.220.147.44:443 HTTP/1.1
> Host: www.facebook.com
>
memory contents by enticing a user to open a specially crafted PDF file
inside a Flash application, modify the victim's clipboard or render it
temporarily unusable, persuade a user into uploading or downloading
files, bypass security restrictions with the assistance of the user to
gain access to camera and microphone, conduct Cross-Site Scripting and
HTTP Header Splitting attacks, bypass the "non-root domain policy" of
Flash, and gain escalated privileges.
Workaround
==========
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of IBM Tivoli Storage Manager Express.
Authentication is not required to exploit this vulnerability.
The specific flaw exists in the dsmcad.exe process bound by default on
TCP port 1581. During HTTP header parsing, a host parameter of
sufficient length will trigger an overflow through a call to
vswprintf(). The call overflows into imported function pointers which
are later called. Exploitation of this issue can result in arbitrary
code execution.
problems:
CVE-2007-5824
Insufficient validation and bounds checking of the Authorization:
HTTP header enables a heap buffer overflow, potentially enabling
the execution of arbitrary code.
CVE-2007-5825
Format string vulnerabilities in debug logging within the
Edit a normal access log and set the request method to an overly long
string.
Edit a normal useragent log and set the useragent field to an overly
long string or send a request to the Squid proxy server passing an
overly long string as useragent in the HTTP header.
---------
Solution:
---------
nodes is modified to the final URI of a 302 redirect, bypassing the
same origin policy (CVE-2008-0593).
* Gregory Fleischer discovered that under certain circumstances,
leading characters from the hostname part of the "Referer:" HTTP
header are removed (CVE-2008-1238).
* Peter Brodersen and Alexander Klink reported that the browser
automatically selected and sent a client certificate when SSL Client
Authentication is requested by a server (CVE-2007-4879).
- Severity: 6.3/10 (CVSS scored)
=============================================
I. VULNERABILITY
-------------------------
WordPress MU < 2.7 'Host' HTTP Header Cross Site Scripting (XSS)
Vulnerability
II. BACKGROUND
-------------------------
WordPress MU, or multi-user, allows to run unlimited blogs with a
Vendor Response: None
Description:
A denial of service condition can be reached by specifying an invalid value for the Authorization
HTTP header. When ntop recieves this, it attempts to base64 decode the value then split it based on
a colon. When no colon exists in the decoded string the username is left at its default NULL value.
During the authentication process the length of the username is computed via strlen(), which results
in a segmentation fault when it processes the null value.
Code:
Michal Zalewski discovered that the focus behavior of Firefox could be
subverted. If a user were tricked into viewing a malicious site, a remote
attacker could use this to capture keystrokes. (CVE-2010-1125)
Ilja van Sprundel discovered that the 'Content-Disposition: attachment'
HTTP header was ignored when 'Content-Type: multipart' was also present.
Under certain circumstances, this could potentially lead to cross-site
scripting attacks. (CVE-2010-1197)
Amit Klein discovered that Firefox did not seed its random number generator
often enough. An attacker could exploit this to identify and track users
Stack-based buffer overflow in the suhosin_encrypt_single_cookie
function in the transparent cookie-encryption feature in the Suhosin
extension before 0.9.33 for PHP, when suhosin.cookie.encrypt and
suhosin.multiheader are enabled, might allow remote attackers to
execute arbitrary code via a long string that is used in a Set-Cookie
HTTP header (CVE-2012-0807). The php-suhosin packages has been upgraded
to the 0.9.33 version which is not affected by this issue.
Additionally some of the PECL extensions has been upgraded to their
latest respective versions which resolves various upstream bugs.
_______________________________________________________________________
Next Page>>
|
