Koozali.org: home of the SME Server

Apache HTTP Server httpOnly information disclosure - 2.2.22

Offline alt-network

  • **
  • 47
  • +0/-0
    • http://www.alt-networking.com
Apache HTTP Server httpOnly information disclosure - 2.2.22
« on: December 10, 2012, 04:54:15 PM »
I need help updating the Apache on a SME 7.6 server to version to 2.2.22 to address the httpOnly vulnerability. Does anyone know what I need to do or where I can get the rpm's to do this.

http://www.iss.net/security_center/reference/vuln/HTTP_Apache_Error_Cookie_Disclosure.htm

I am unable to this time upgrade the server to 8.0.

Thanks

Offline piran

  • ****
  • 502
  • +0/-0
Re: Apache HTTP Server httpOnly information disclosure - 2.2.22
« Reply #1 on: December 10, 2012, 06:41:12 PM »
>>Does anyone know what I need to do...?
You could always try the obvious... and ensure
that a custom ErrorDocument for 400 *is* specified.

http://httpd.apache.org/security/vulnerabilities_22.html
A flaw was found in the default error response for status code 400.
This flaw could be used by an attacker to expose "httpOnly"
cookies when no custom ErrorDocument is specified."


It's only a single line in your httpd template fragment:
Code: [Select]
ErrorDocument 400 /errordoc400.php
[ iBay ] [ errordoc400.php ]
Code: [Select]
<?php
header
("HTTP/1.1 400 BAD REQUEST");
header("X-Robots-Tag: NOINDEX,NOARCHIVE,NOFOLLOW,NOSNIPPET");
print 
"bad request";
?>

Offline alt-network

  • **
  • 47
  • +0/-0
    • http://www.alt-networking.com
Re: Apache HTTP Server httpOnly information disclosure - 2.2.22
« Reply #2 on: December 11, 2012, 06:10:03 PM »
This did not work. I ran a scan from SecurityMetrics and still shows.

User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)\r Pragma: no-cache\r Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Which caused the Cookie header to be displayed in the default error page (the response shown below has been truncated) : <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>400 Bad Request</title> </head><body> <h1>Bad Request</h1> <p>Your browser sent a request that this server could not understand.<br /> Size of a request header field exceeds server limit.<br />

Any other ideas please....Thanks

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Re: Apache HTTP Server httpOnly information disclosure - 2.2.22
« Reply #3 on: December 11, 2012, 06:42:13 PM »
This did not work.

https://bugzilla.redhat.com/show_bug.cgi?id=785069#c32

Mitigation instructions:

As noted in the original reporter's advisory (see comment #5), this issue can be mitigated by using a custom ErrorDocument setting, such as:

  ErrorDocument 400 "Bad Request"

  http://httpd.apache.org/docs/2.2/mod/core.html#errordocument

It should be noted that ErrorDocument setting using path or external URL does not mitigate this issue.

Offline alt-network

  • **
  • 47
  • +0/-0
    • http://www.alt-networking.com
Re: Apache HTTP Server httpOnly information disclosure - 2.2.22
« Reply #4 on: December 11, 2012, 10:13:59 PM »
That worked!!!!


Thanks