Hi All We have a security scanning company check all our sites daily and it has discovered an issue with Zenoss (running latest version 2.4.3)
Full details of the issue below, as taken from their report ( i have altered our real domain name for security reasons) Can someone please investigate and put a urgent fix in place ============================== HTTP Response Splitting Port First Detected Category 8080 15/05/2009 17:04 CGI Protocol Fix Difficulty Impact HTTP Medium Other Description HTTP response splitting is the ability for an attacker to modify the headers of an HTTP response due to lack of input validation on requests that are sent to the application server. A vulnerable web application or web server allows the user to insert a Carriage Return (%0D or \r) and/or a Line Feed (%0A or \n) into the headers of an HTTP response. This is usually done by sending modified requests to the web application and the web application responding with the user supplied data being inserted into a header. The attacker then constructs and attack using a CRLF (Carriage Return-Line Feed) attack that has the client interpret the data as 2 separate responses. These types of attacks are a means to an end and usually have a payload of: Cross-User Defacement/Page Hijacking: The ability for an attacker to affect a single user of a web application usually showing a "defaced" website. The payload is usually session hijacking, page defacement, or account compromise through interception of user credentials. Cache Poisoning: The ability for an attacker to affect multiple users of a cache server. This specific situation involves the victims to be using the same proxy/cache server as the attacker and is similar to Cross-User Defacement, except it affects more than one user at a time. Browser cache poisoning: This allows an attacker to cache a web page the attacker controls for a long period of time. Whenever the user requests the page again, the malicious cached page is loaded. Cross-Site Scripting (XSS): The ability for an attacker to run client side content (such as HTML, Flash, Quicktime and JavaScript) in the domains context. The payload is usually to exploit the users browser to compromise the file system and install Trojans and Malware. CVSS 5.0 Solution All input that is sent to a web application should not be trusted and should be assumed malicious. Characters such as Carriage Return (CR) and Line Feed (LF) should be removed from all requests before being interpreted by the web application server. An attacker can also use encoded Carriage Returns and Line Feeds to exploit the web server, and user-specified Carriage Returns and Line Feeds serve no business purpose on a web server. Filter the following characters from all user supplied input: %0D %0A %0D%0A \r \n \r\n Confidential - McAfee Security Audit Report Page 7 Detail Protocol http Port 8080 Read Timeout10000Method POST Path /zport/acl_users/cookieAuthHelper/login Headers Referer=http%3A%2F%2Fourdomain.com%3A8080%2Fzport%2Facl_users%2FcookieAuthHelper %2Flogin_form%3Fcame_from%3Dhttp%253A%252F%252Fourdomain.com%253A8080%252Fzp ort%252Fdmd%252FdeviceSearchResults Content-Type=application%2Fx-www-form-urlencoded Body came_from= Content-Type: text/html Mcafee: ResponseSplitting Content-Type: text/html submitted=true __ac_name=0 __ac_password=0 submitbutton=0 Protocol http Port 8080 Read Timeout10000Method POST Path /zport/acl_users/cookieAuthHelper/login Headers Referer=http%3A%2F%2Fourdomain.com%3A8080%2Fzport%2Facl_users%2FcookieAuthHelper %2Flogin_form%3Fcame_from%3Dhttp%253A%252F%252Fourdomain.com%253A8080%252Fzp ort%252Fdmd%252FdeviceSearchResults Content-Type=application%2Fx-www-form-urlencoded Body came_from= Content-Type: text/html Mcafee: ResponseSplitting Content-Type: text/html://ourdomain.com:8080/zport/dmd/deviceSearchResults submitted=true __ac_name=0 __ac_password=0 submitbutton=0 Links Introduction to HTTP Response Splitting OWASP - HTTP Response Splitting Related None -------------------- m2f -------------------- Read this topic online here: http://forums.zenoss.com/viewtopic.php?p=38606#38606 -------------------- m2f -------------------- _______________________________________________ zenoss-users mailing list [email protected] http://lists.zenoss.org/mailman/listinfo/zenoss-users
