漏洞信息详情
Apache mod_disk_cache模块客户端验证信息存储漏洞
- CNNVD编号:CNNVD-200403-091
- 危害等级: 低危
- CVE编号: CVE-2004-1834
- 漏洞类型: 设计错误
- 发布时间: 2004-03-20
- 威胁类型: 本地
- 更新时间: 2005-10-20
- 厂 商: apache
- 漏洞来源: Andreas Steinmetz※...
漏洞简介
Apache是一款开放源代码流行的Httpd服务程序。 Apache包含的mod_disk_cache模块存在信息泄露问题,远程攻击者可以利用这个漏洞获得客户端验证的敏感信息。 mod_disk_cache模块把所有客户端验证信息存储在磁盘上,问题存在于modules/experimental/mod_disk_cache.c代码中的write_headers()函数: ======================================================================== /* Parse the vary header and dump those fields from the headers_in. */ /* Make call to the same thing cache_select_url calls to crack Vary. */ /* @@@ Some day, not today. */ if (r->headers_in) { ~ int i; ~ apr_table_entry_t *elts = (apr_table_entry_t *) ~ apr_table_elts(r->headers_in)->elts; ~ for (i = 0; i < apr_table_elts(r->headers_in)->nelts; ++i) { ~ if (elts[i].key != NULL) { ~ buf = apr_pstrcat(r->pool, elts[i].key, \": \", elts[i].val, ~ CRLF, NULL); ~ amt = strlen(buf); ~ apr_file_write(hfd, buf, &amt); ~ } ~ } ~ buf = apr_pstrcat(r->pool, CRLF, NULL); ~ amt = strlen(buf); ~ apr_file_write(hfd, buf, &amt); } ======================================================================== 所有r->headers_in字段写入到磁盘上,这个字段包含所有客户端的验证信息。因此攻击者可以借此获得一些验证的明文密码等信息。
漏洞公告
临时解决方法: 如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
* Andreas Steinmetz [email protected]>提供的第三方补丁如下:
diff -rNu httpd-2.0.49.orig/modules/experimental/cache_util.c httpd-2.0.49/modules/experimental/cache_util.c
--- httpd-2.0.49.orig/modules/experimental/cache_util.c 2004-02-09 21:53:16.000000000
+0100
+++ httpd-2.0.49/modules/experimental/cache_util.c 2004-03-20 15:55:51.000000000 +0100
@@ -516,3 +516,25 @@
apr_table_unset(headers_out, "Upgrade");
return headers_out;
}
+
+/* Create a new table consisting of those elements from a request_rec's
+ * headers_in that are allowed to be stored in a cache.
+ */
+CACHE_DECLARE(apr_table_t *)ap_cache_cacheable_hdrs_in(request_rec *r)
+{
+ /* Make a copy of the request headers, and remove from
+ * the copy any hop-by-hop headers, as defined in Section
+ * 13.5.1 of RFC 2616
+ */
+ apr_table_t *headers_in;
+ headers_in = apr_table_copy(r->pool, r->headers_in);
+ apr_table_unset(headers_in, "Connection");
+ apr_table_unset(headers_in, "Keep-Alive");
+ apr_table_unset(headers_in, "Proxy-Authenticate");
+ apr_table_unset(headers_in, "Proxy-Authorization");
+ apr_table_unset(headers_in, "TE");
+ apr_table_unset(headers_in, "Trailers");
+ apr_table_unset(headers_in, "Transfer-Encoding");
+ apr_table_unset(headers_in, "Upgrade");
+ return headers_in;
+}
diff -rNu httpd-2.0.49.orig/modules/experimental/mod_cache.h httpd-2.0.49/modules/experimental/mod_cache.h
--- httpd-2.0.49.orig/modules/experimental/mod_cache.h 2004-02-09 21:53:16.000000000
+0100
+++ httpd-2.0.49/modules/experimental/mod_cache.h 2004-03-20 15:55:51.000000000 +0100
@@ -238,6 +238,11 @@
*/
CACHE_DECLARE(apr_table_t *)ap_cache_cacheable_hdrs_out(apr_pool_t *pool, apr_table_t
*t);
+/* Create a new table consisting of those elements from a request_rec's
+ * headers_in that are allowed to be stored in a cache
+ */
+CACHE_DECLARE(apr_table_t *)ap_cache_cacheable_hdrs_in(request_rec *r);
+
/**
* cache_storage.c
*/
diff -rNu httpd-2.0.49.orig/modules/experimental/mod_disk_cache.c httpd-2.0.49/modules/experimental/mod_disk_cache.c
--- httpd-2.0.49.orig/modules/experimental/mod_disk_cache.c 2004-02-09 21:53:16.000000000
+0100
+++ httpd-2.0.49/modules/experimental/mod_disk_cache.c 2004-03-20 15:55:51.000000000
+0100
@@ -600,8 +600,9 @@
/* @@@ Some day, not today. */
if (r->headers_in) {
int i;
- apr_table_entry_t *elts = (apr_table_entry_t *) apr_table_elts(r->headers_in)-
>elts;
- for (i = 0; i < apr_table_elts(r-="">headers_in)->nelts; ++i) {
+ apr_table_t* headers_in = ap_cache_cacheable_hdrs_in(r);
+ apr_table_entry_t *elts = (apr_table_entry_t *) apr_table_elts(headers_in)-
>elts;
+ for (i = 0; i < apr_table_elts(headers_in)-="">nelts; ++i) {
if (elts[i].key != NULL) {
buf = apr_pstrcat(r->pool, elts[i].key, ": ", elts[i].val, CRLF,
NULL);
amt = strlen(buf); 厂商补丁: Apache Software Foundation -------------------------- 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.apache.org/
参考网址
来源: XF 名称: apache-moddiskcache-obtain-info(15547) 链接:http://xforce.iss.net/xforce/xfdb/15547 来源: BID 名称: 9933 链接:http://www.securityfocus.com/bid/9933 来源: OSVDB 名称: 4446 链接:http://www.osvdb.org/4446 来源: SECTRACK 名称: 1009509 链接:http://securitytracker.com/id?1009509 来源: SECUNIA 名称: 11176 链接:http://secunia.com/advisories/11176 来源: OVAL 名称: oval:org.mitre.oval:def:11133 链接:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:11133 来源: BUGTRAQ 名称: 20040319 Apache mod_disk_cache stores client authentication credentials on disk 链接:http://marc.theaimsgroup.com/?l=bugtraq&m=107981737322495&w=2 来源: REDHAT 名称: RHSA-2004:562 链接:http://www.redhat.com/support/errata/RHSA-2004-562.HTML 来源: VUPEN 名称: ADV-2006-0789 链接:http://www.frsirt.com/english/advisories/2006/0789 来源: support.avaya.com 链接:http://support.avaya.com/elmodocs2/security/ASA-2006-081.htm 来源: SUNALERT 名称: 102198 链接:http://sunsolve.sun.com/search/document.do?assetkey=1-26-102198-1 来源: SECUNIA 名称: 19072 链接:http://secunia.com/advisories/19072
受影响实体
- Apache Http_server:2.0
- Apache Http_server:2.0.9
- Apache Http_server:2.0.28
- Apache Http_server:2.0.28:Beta
- Apache Http_server:2.0.32
补丁
暂无
评论