Bug#453783: apache2: CVE-2007-4465
Dear Stefan, > ... I think reporting it to the Firefox bugzilla would be a good idea. Had done so: https://bugzilla.mozilla.org/show_bug.cgi?id=406777 https://bugzilla.mozilla.org/show_bug.cgi?id=356280 >>> If it affects only one buggy browser, it's low impact. ... >> If that buggy browser is IE ... > ... I still do not think it is important enough for a security > advisory. So far I failed in producing an exploit for IE... even though that is expected/reported to be easy! (The Firefox bug "trumps" any fix you may make.) Thanks, Paul Szabo [EMAIL PROTECTED] http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#453783: apache2: CVE-2007-4465
Just for completeness: On Tuesday 04 December 2007, Paul Szabo wrote: > > ... I think reporting it to the Firefox bugzilla would be a good > > idea. > > Had done so: > > https://bugzilla.mozilla.org/show_bug.cgi?id=406777 > https://bugzilla.mozilla.org/show_bug.cgi?id=356280 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#453783: apache2: CVE-2007-4465
Dear Paul, thanks for the information. On Saturday 01 December 2007, you wrote: > > If you can exploit that with Firefox, Firefox should be fixed. > > Can you give more details? I would be very interested. > > Will do, offline (because it affects the main web login site of my > Uni). Essentially, I found that Firefox will inherit the charset of > the parent page, when that had been selected manually (does not > inherit the charset specified in headers or meta). I guess this is > a "new" bug in Firefox, maybe they should be told... This would require some social engineering but could probably be exploited in some cases. I think reporting it to the Firefox bugzilla would be a good idea. > > If it affects only one buggy browser, it's low impact. ... > > If that buggy browser is IE, used by 90% of the (deluded) > population, then is it not low impact. I have commited the patch to our SVN repository for etch. It will probably be released with etch r3 (or maybe r2, if that is delayed further). I still do not think it is important enough for a security advisory. Cheers, Stefan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#453783: apache2: CVE-2007-4465
Dear Stefan, > If you can exploit that with Firefox, Firefox should be fixed. Can you > give more details? I would be very interested. Will do, offline (because it affects the main web login site of my Uni). Essentially, I found that Firefox will inherit the charset of the parent page, when that had been selected manually (does not inherit the charset specified in headers or meta). I guess this is a "new" bug in Firefox, maybe they should be told... > Any broswer that interprets ascii as utf7 without being told to do so > is severely buggy. And CVE-2006-5152 is about MSIE, not about Apache. > Your retraction was about Apache. So IE "encoding autoselect" is severely buggy: I almost agree. Whatever people think CVE-2006-5152 is about, I meant my posts to be about Apache. (No use trying to get MS to fix IE.) > If it affects only one buggy browser, it's low impact. ... If that buggy browser is IE, used by 90% of the (deluded) population, then is it not low impact. Cheers, Paul Szabo [EMAIL PROTECTED] http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#453783: apache2: CVE-2007-4465
Hi Paul, On Saturday 01 December 2007, you wrote: > > This is actually a bug in MSIE, see CVE-2006-5152. > > Not a bug in IE only, I have a demo that exploits it under Firefox. > (In fact my demo does not seem to work for IE, yet...) If you can exploit that with Firefox, Firefox should be fixed. Can you give more details? I would be very interested. > Not really related to CVE-2006-5152. In fact that is a non-issue: > the CVE references my posts, but fails to reference my retraction > http://lists.grok.org.uk/pipermail/full-disclosure/2006-October/049 >828.html Any broswer that interprets ascii as utf7 without being told to do so is severely buggy. And CVE-2006-5152 is about MSIE, not about Apache. Your retraction was about Apache. > > ... no plan to backport ... it is of low impact. > > I do not think that XSS and cookie theft (thus access to all data > protected by web login) is of low impact. If it affects only one buggy browser, it's low impact. And since the patch for the workaround is not that small (and is changing default behaviour and is adding a new config directive), I didn't want to backport it to stable. If it affects more browsers, I might reconsider. > > ... setting AddDefaultCharset also protects from the issue. > > AddDefaultCharset is on in the default configurations ... > > Thanks for that other workaround: yes it seems to protect my > machines. Now I am puzzled why AddDefaultCharset was commented out > in my configs. Still puzzled why Apache did not mention these > workarounds. AddDefaultCharset has some often unwanted side effects. It overrides the charset in meta http-equiv tags. See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=397886 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=415775 It is not the default anymore in lenny and sid. Cheers, Stefan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#453783: apache2: CVE-2007-4465
Dear Stefan, > This is actually a bug in MSIE, see CVE-2006-5152. Not a bug in IE only, I have a demo that exploits it under Firefox. (In fact my demo does not seem to work for IE, yet...) Not really related to CVE-2006-5152. In fact that is a non-issue: the CVE references my posts, but fails to reference my retraction http://lists.grok.org.uk/pipermail/full-disclosure/2006-October/049828.html > ... no plan to backport ... it is of low impact. I do not think that XSS and cookie theft (thus access to all data protected by web login) is of low impact. > ... setting AddDefaultCharset also protects from the issue. > AddDefaultCharset is on in the default configurations ... Thanks for that other workaround: yes it seems to protect my machines. Now I am puzzled why AddDefaultCharset was commented out in my configs. Still puzzled why Apache did not mention these workarounds. Cheers, Paul Szabo [EMAIL PROTECTED] http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#453783: apache2: CVE-2007-4465
severity 453783 normal tags 453783 security found 453783 2.2.3-4 fixed 453783 2.2.6-1 thanks Hi, On Saturday 01 December 2007, Paul Szabo wrote: > Seems to me that Debian (sarge or etch or even sid) apache packages > are not yet patched against > > http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4465 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4465 > > Seems to me that the obvious workarounds of turning Indexes off or > having an index.html everywhere, protects just fine; and wonder why > Apache does not say so. This is actually a bug in MSIE, see CVE-2006-5152. Sid and lenny have the workaround, but there is currently no plan to backport it to sarge and etch (as it is of low impact). Besides switching directory indexes of, setting AddDefaultCharset also protects from the issue. AddDefaultCharset is on in the default configurations in sarge and etch. Cheers, Stefan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#453783: apache2: CVE-2007-4465
Package: apache2 Severity: grave Justification: user security hole Seems to me that Debian (sarge or etch or even sid) apache packages are not yet patched against http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4465 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4465 Seems to me that the obvious workarounds of turning Indexes off or having an index.html everywhere, protects just fine; and wonder why Apache does not say so. Cheers, Paul Szabo [EMAIL PROTECTED] http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia -- System Information: Debian Release: 3.1 Architecture: i386 (i686) Kernel: Linux 2.6.8-spm1.11 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
