漏洞信息详情
Apache Web Server MIME Boundary远程信息泄露漏洞
- CNNVD编号:CNNVD-200312-297
- 危害等级: 低危
- CVE编号: CVE-2003-1418
- 漏洞类型: 信息泄露
- 发布时间: 2003-02-24
- 威胁类型: 远程
- 更新时间: 2003-12-31
- 厂 商: apache
- 漏洞来源:
漏洞简介
Apache是一款流行的开放源代码httpd服务程序。 Apache Web服务程序在生成MIME消息边界(message boundaries)时存在问题,远程攻击者可以利用这个漏洞获得服务器敏感信息。 Apache的把系统敏感信息用在生成的MIME消息边界中,因此攻击者可以在返回信息中获得这些敏感信息,可以进一步对系统进行攻击。OpenBSD提供了补丁使用BASE64编码的随机号来生成MIME边界。 <*链接:http://www.openbsd.org/errata.HTML *>
漏洞公告
临时解决方法: 如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
* 使用OpenBSD发布的安全补丁:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.2/common/008_httpd.patch
Apply by doing:
cd /usr/src
patch -p0 <>
And then rebuild and install httpd and it's modules:
cd usr.sbin/httpd
make -f Makefile.bsd-wrapper obj
make -f Makefile.bsd-wrapper depend
make -f Makefile.bsd-wrapper
make -f Makefile.bsd-wrapper install
If httpd had been started, you might want to run
apachectl stop
apachectl start
afterwards.
Index: usr.sbin/httpd/src/main/http_main.c
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/src/main/http_main.c,v
retrieving revision 1.25.2.1
retrieving revision 1.25.2.2
diff -u -p -r1.25.2.1 -r1.25.2.2
--- usr.sbin/httpd/src/main/http_main.c 8 Nov 2002 00:04:04 -0000 1.25.2.1
+++ usr.sbin/httpd/src/main/http_main.c 24 Feb 2003 02:09:38 -0000 1.25.2.2
@@ -1,4 +1,4 @@
-/* $OpenBSD: http_main.c,v 1.25.2.1 2002/11/08 00:04:04 jason Exp $ */
+/* $OpenBSD: http_main.c,v 1.25.2.2 2003/02/24 02:09:38 margarida Exp $ */
/* ====================================================================
* The Apache Software License, Version 1.1
@@ -5176,6 +5176,7 @@ static void standalone_main(int argc, ch
}
ap_set_version(); /* create our server_version string */
ap_init_modules(pconf, server_conf);
+ ap_init_etag(pconf);
version_locked++; /* no more changes to server_version */
if(!is_graceful && !is_chrooted)
Index: usr.sbin/httpd/src/main/http_protocol.c
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/src/main/http_protocol.c,v
retrieving revision 1.13
retrieving revision 1.13.2.1
diff -u -p -r1.13 -r1.13.2.1
--- usr.sbin/httpd/src/main/http_protocol.c 19 Jul 2002 21:31:16 -0000 1.13
+++ usr.sbin/httpd/src/main/http_protocol.c 24 Feb 2003 02:09:39 -0000 1.13.2.1
@@ -1,3 +1,4 @@
+/* $OpenBSD: http_protocol.c,v 1.13.2.1 2003/02/24 02:09:39 margarida Exp $ */
/* ====================================================================
* The Apache Software License, Version 1.1
*
@@ -76,6 +77,7 @@
#include "util_date.h" /* For parseHTTPdate and BAD_DATE */
#include
#include "http_conf_globals.h"
+#include "ap_sha1.h"
#define SET_BYTES_SENT(r) \
do { if (r->sent_bodyct) \
@@ -276,7 +278,10 @@ static int byterange_boundary(request_re
API_EXPORT(int) ap_set_byterange(request_rec *r)
{
const char *range, *if_range, *match;
+ char *bbuf, *b;
+ u_int32_t rbuf[12]; /* 48 bytes yields 64 base64 chars */
long length, start, end, one_start = 0, one_end = 0;
+ size_t u;
int ranges, empty;
if (!r->clength || r->assbackwards)
@@ -322,8 +327,20 @@ API_EXPORT(int) ap_set_byterange(request
* caller will perform if we return 1.
*/
r->range = range;
- r->boundary = ap_psprintf(r->pool, "%lx%lx",
- r->request_time, (long) getpid());
+ for (u = 0; u < sizeof(rbuf)/sizeof(rbuf[0]);="">
+ rbuf[u] = htonl(arc4random());
+
+ bbuf = ap_palloc(r->pool, ap_base64encode_len(sizeof(rbuf)));
+ ap_base64encode(bbuf, (const unsigned char *)rbuf, sizeof(rbuf));
+ for (b = bbuf; *b != '\0'; b++) {
+ if (((b - bbuf) + 1) % 7 == 0)
+ *b = '-';
+ else if (!isalnum(*b))
+ *b = 'a';
+ }
+
+ r->boundary = bbuf;
+
length = 0;
ranges = 0;
empty = 1;
@@ -646,7 +663,7 @@ API_EXPORT(int) ap_meets_conditions(requ
* could be modified again in as short an interval. We rationalize the
* modification time we're given to keep it from being in the future.
*/
-API_EXPORT(char *) ap_make_etag(request_rec *r, int force_weak)
+API_EXPORT(char *) ap_make_etag_orig(request_rec *r, int force_weak)
{
char *etag;
char *weak;
@@ -3106,4 +3123,164 @@ API_EXPORT(void) ap_send_error_response(
ap_kill_timeout(r);
ap_finalize_request_protocol(r);
ap_rflush(r);
+}
+
+/*
+ * The shared hash context, copies of which are used by all children for
+ * etag generation. ap_init_etag() must be called once before all the
+ * children are created. We use a secret hash initialization value
+ * so that people can't brute-force inode numbers.
+ */
+static AP_SHA1_CTX baseCtx;
+
+int ap_create_etag_state(pool *pconf)
+{
+ u_int32_t rnd;
+ unsigned int u;
+ int fd;
+ const char* filename;
+
+ filename = ap_server_root_relative(pconf, "logs/etag-state");
+ ap_server_strip_chroot(filename, 0);
+
+ if ((fd = open(filename, O_CREAT|O_WRONLY|O_TRUNC|O_NOFOLLOW, 0640)) ==
+ -1) {
+ ap_log_error(APLOG_MARK, APLOG_CRIT, NULL,
+ "could not create %s", filename);
+ exit(-1);
+ }
+
+ if (fchown(fd, -1, ap_group_id) == -1) {
+ ap_log_error(APLOG_MARK, APLOG_CRIT, NULL,
+ "could not chown %s", filename);
+ exit(-1);
+ }
+
+ /* generate random bytes and write them */
+ for (u = 0; u < 4;="" u++)="">
+ rnd = arc4random();
+ if (write(fd, &rnd, sizeof(rnd)) == -1) {
+ ap_log_error(APLOG_MARK, APLOG_CRIT, NULL,
+ "could not write to %s", filename);
+ exit(-1);
+ }
+ }
+
+ close (fd);
+}
+
+API_EXPORT(void) ap_init
参考网址
来源: BID 名称: 6943 链接:http://www.securityfocus.com/bid/6943 来源: XF 名称: apache-mime-information-disclosure(11438) 链接:http://xforce.iss.net/xforce/xfdb/11438 来源: BID 名称: 6939 链接:http://www.securityfocus.com/bid/6939 来源: OPENBSD 名称: [3.2] 008: SECURITY FIX: February 25, 2003 链接:http://www.openbsd.org/errata32.HTML 来源:NSFOCUS 名称:4469※4470※4484 链接:http://www.nsfocus.net/vulndb/4469※4470※4484
受影响实体
- Apache Http_server:1.3.27
- Apache Http_server:1.3.26
- Apache Http_server:1.3.25
- Apache Http_server:1.3.23
- Apache Http_server:1.3.24
补丁
暂无
评论