Apache mod_disk_cache模块客户端验证信息存储漏洞
受影响系统:
Apache Software Foundation Apache 2.0a9
Apache Software Foundation Apache 2.0.49
Apache Software Foundation Apache 2.0.48
Apache Software Foundation Apache 2.0.47
Apache Software Foundation Apache 2.0.46
Apache Software Foundation Apache 2.0.45
Apache Software Foundation Apache 2.0.44
Apache Software Foundation Apache 2.0.43
Apache Software Foundation Apache 2.0.42
Apache Software Foundation Apache 2.0.41
Apache Software Foundation Apache 2.0.40
Apache Software Foundation Apache 2.0.39
Apache Software Foundation Apache 2.0.38
Apache Software Foundation Apache 2.0.37
Apache Software Foundation Apache 2.0.36
Apache Software Foundation Apache 2.0.35
Apache Software Foundation Apache 2.0.32
Apache Software Foundation Apache 2.0.28
Apache Software Foundation Apache 2.0
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 9933
Apache是一款开放源代码流行的Httpd服务程序。
Apache包含的mod_disk_cache模块存在信息泄露问题,远程攻击者可以利用这个漏洞获得客户端验证的敏感信息。
mod_disk_cache模块把所有客户端验证信息存储在磁盘上,问题存在于modules/experimental/mod_disk_cache.c代码中的write_headers()函数:
========================================================================
/* Parse the vary header and dump those fields from the headers_in. */
/* Make call to the same thing cache_select_url calls to crack Vary. */
/* @@@ Some day, not today. */
if (r->headers_in) {
~ int i;
~ apr_table_entry_t *elts = (apr_table_entry_t *)
~ apr_table_elts(r->headers_in)->elts;
~ for (i = 0; i < apr_table_elts(r->headers_in)->nelts; ++i) {
~ if (elts[i].key != NULL) {
~ buf = apr_pstrcat(r->pool, elts[i].key, ": ", elts[i].val,
~ CRLF, NULL);
~ amt = strlen(buf);
~ apr_file_write(hfd, buf, &amt);
~ }
~ }
~ buf = apr_pstrcat(r->pool, CRLF, NULL);
~ amt = strlen(buf);
~ apr_file_write(hfd, buf, &amt);
}
========================================================================
所有r->headers_in字段写入到磁盘上,这个字段包含所有客户端的验证信息。因此攻击者可以借此获得一些验证的明文密码等信息。
<*来源:Andreas Steinmetz (ast@domdv.de)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=107981737322495&w=2
*>
建议:
--------------------------------------------------------------------------------
临时解决方法:
如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:
* Andreas Steinmetz <ast@domdv.de>提供的第三方补丁如下:
diff -rNu httpd-2.0.49.orig/modules/experimental/cache_util.c httpd-2.0.49/modules/experimental/cache_util.c
--- httpd-2.0.49.orig/modules/experimental/cache_util.c 2004-02-09 21:53:16.000000000
+0100
+++ httpd-2.0.49/modules/experimental/cache_util.c 2004-03-20 15:55:51.000000000 +0100
@@ -516,3 +516,25 @@
apr_table_unset(headers_out, "Upgrade");
return headers_out;
}
+
+/* Create a new table consisting of those elements from a request_rec's
+ * headers_in that are allowed to be stored in a cache.
+ */
+CACHE_DECLARE(apr_table_t *)ap_cache_cacheable_hdrs_in(request_rec *r)
+{
+ /* Make a copy of the request headers, and remove from
+ * the copy any hop-by-hop headers, as defined in Section
+ * 13.5.1 of RFC 2616
+ */
+ apr_table_t *headers_in;
+ headers_in = apr_table_copy(r->pool, r->headers_in);
+ apr_table_unset(headers_in, "Connection");
+ apr_table_unset(headers_in, "Keep-Alive");
+ apr_table_unset(headers_in, "Proxy-Authenticate");
+ apr_table_unset(headers_in, "Proxy-Authorization");
+ apr_table_unset(headers_in, "TE");
+ apr_table_unset(headers_in, "Trailers");
+ apr_table_unset(headers_in, "Transfer-Encoding");
+ apr_table_unset(headers_in, "Upgrade");
+ return headers_in;
+}
diff -rNu httpd-2.0.49.orig/modules/experimental/mod_cache.h httpd-2.0.49/modules/experimental/mod_cache.h
--- httpd-2.0.49.orig/modules/experimental/mod_cache.h 2004-02-09 21:53:16.000000000
+0100
+++ httpd-2.0.49/modules/experimental/mod_cache.h 2004-03-20 15:55:51.000000000 +0100
@@ -238,6 +238,11 @@
*/
CACHE_DECLARE(apr_table_t *)ap_cache_cacheable_hdrs_out(apr_pool_t *pool, apr_table_t
*t);
+/* Create a new table consisting of those elements from a request_rec's
+ * headers_in that are allowed to be stored in a cache
+ */
+CACHE_DECLARE(apr_table_t *)ap_cache_cacheable_hdrs_in(request_rec *r);
+
/**
* cache_storage.c
*/
diff -rNu httpd-2.0.49.orig/modules/experimental/mod_disk_cache.c httpd-2.0.49/modules/experimental/mod_disk_cache.c
--- httpd-2.0.49.orig/modules/experimental/mod_disk_cache.c 2004-02-09 21:53:16.000000000
+0100
+++ httpd-2.0.49/modules/experimental/mod_disk_cache.c 2004-03-20 15:55:51.000000000
+0100
@@ -600,8 +600,9 @@
/* @@@ Some day, not today. */
if (r->headers_in) {
int i;
- apr_table_entry_t *elts = (apr_table_entry_t *) apr_table_elts(r->headers_in)-
>elts;
- for (i = 0; i < apr_table_elts(r->headers_in)->nelts; ++i) {
+ apr_table_t* headers_in = ap_cache_cacheable_hdrs_in(r);
+ apr_table_entry_t *elts = (apr_table_entry_t *) apr_table_elts(headers_in)-
>elts;
+ for (i = 0; i < apr_table_elts(headers_in)->nelts; ++i) {
if (elts[i].key != NULL) {
buf = apr_pstrcat(r->pool, elts[i].key, ": ", elts[i].val, CRLF,
NULL);
amt = strlen(buf);
厂商补丁:
Apache Software Foundation
--------------------------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.apache.org/
推荐
评论(0条)
