According to http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0053, protocol.c in the Apache HTTP Server 2.2.x through 2.2.21 does not properly restrict header information during construction of Bad Request (aka 400) error documents, which allows remote attackers to obtain the values of HTTPOnly cookies via vectors involving a (1) long or (2) malformed header in conjunction with crafted web script.
Here is the exploit script from http://downloads.securityfocus.com/vulnerabilities/exploits/51706.js
In this experiment, Apache/2.2.21 windows version was tested. The popular open source project phpMyAdmin was deployed as part of XAMPP.As shown in this screencopy, the application set three httponly cookies: phpMyAdmin, pma_lang, pma_collation_connection.
Once the exploit script is run, the request contains a couple of generated cookies like this screen copy.
Since the total length of cookie header exceeds the server limit. This request generated a 400 error on the server. But the response from the server contained those three HttpOnly cookies. This test showed that the server is vulnerable to this security issue.
No comments:
Post a Comment