Hi. I think that server should have a list of valid requests. In fact Apache warns you sometimes that valid requests are: "GET/POST/TRACE/OPTIONS". The solution that it just accepts everything as request and protocol makes no sense. What kind of protocol is "<script>"? Regards Michal.
On 4/24/07, Richard Moore <[EMAIL PROTECTED]> wrote: > Michal Majchrowicz wrote: > > Hi. > > I think now we can classify this as flaw in Apache. It accepts > > requests that simply make no sense. Take a look at this example: > > <script>alert(document.cookie);</script> /test.php > > <script>alert(document.cookie);</script> > > In some circumstances it may cause XSS vulnerability: > > <?php > > echo $_SERVER['REQUEST_METHOD']; > > echo $_SERVER['SERVER_PROTOCOL']; > > ?> > > As Kradorex Xeron said, that's a flaw in the script. Apache needs > to let arbitrary verbs through to the PHP (or other server extension) > otherwise tools like webdav that require additional verbs could not > be implemented. It is possibly arguable that it should restrict the > verbs to a single alphanumeric string, but it certainly can't be > counted on to be just GET/POST etc. > > Cheers > > Rich. > > > I am now investigating other possible attacks. > > Regards Michal Majchrowicz. > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > > > > -- > Richard Moore, Principal Software Engineer, > Westpoint Ltd, > Albion Wharf, 19 Albion Street, Manchester, M1 5LN, England > Tel: +44 161 237 1028 > Fax: +44 161 237 1031 > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
