Note: This is an archival copy of Security Sun Alert 247666 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1019856.1.
Article ID : 1019856.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2008-12-16
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Security Vulnerabilities in the Apache 2.0 "mod_proxy_http" and "mod_proxy_ftp" Modules may Lead to Denial of Service (DoS) or Cross Site Scripting (XSS)

Category
Security

Release Phase
Resolved

Bug Id
6725791, 6737160

Product
Solaris 10 Operating System

Date of Workaround Release
15-Dec-2008

Date of Resolved Release
17-Dec-2008

Security Vulnerabilities in the Apache 2.0 "mod_proxy_http" and "mod_proxy_ftp" modules:

1. Impact

Two security vulnerabilities have been found in the Apache HTTP server that affect the Apache 2.0 web server bundled with Solaris 10:

1. A  Denial of Service (DoS) vulnerability in the "mod_proxy_http" Apache server module (CVE-2008-2364), may allow a remote unprivileged user who is in control of a web server to which requests may be proxied, to cause a denial of service to the Apache
"httpd" process (or potentially to the system as a whole as the application may consume excessive resources).

2. A  Cross Site Scripting (CSS or XSS) vulnerability in the "mod_proxy_ftp" Apache server module (CVE-2008-2939), may allow a remote unprivileged user to inject arbitrary web script or HTML. This may allow the unprivileged user to bypass access control and gain access
to unauthorized data.

These issues are described in the following documents:

CVE-2008-2364 at:
CVE-2008-2939 at:
2. Contributing Factors

These issues can occur in the following releases:

SPARC Platform
  • Solaris 10 without patch 120543-12
x86 Platform
  • Solaris 10 without patch 120544-12
Note 1: Solaris 8 and Solaris 9 do not include support for Apache 2.0 web server and therefore are not  impacted by these issues.

Note 2: A system is only vulnerable to the described issues if the Apache 2.0 web server has been configured and is running on the system.
To determine if the Apache 2.0 web server is enabled, the following SMF command can be used:
    $ svcs svc:/network/http:apache2
    STATE          STIME    FMRI
    disabled       Feb_02   svc:/network/http:apache2
Note 3: The "mod_proxy_http" vulnerability (CVE-2008-2364) only affects systems that enable a forward proxy.  This feature is disabled by default and is very rarely used. To determine if  the forward proxy is enabled, run the following command for all of the configuration files that define the running Apache 2.0 configuration:
    $ grep "ProxyRequests" /etc/apache2/httpd.conf
    ProxyRequests On
Note 4: "The mod_proxy_ftp" vulnerability (CVE-2008-2939) only affects systems that enable FTP over HTTP proxying, and a forward proxy (see note 3) or a reverse proxy is enabled. To determine if the FTP over HTTP proxying is enabled, run the following command for all of the configuration files that define the running Apache 2.0 configuration:
    $ grep "mod_proxy_ftp" /etc/apache2/httpd.conf
    LoadModule proxy_ftp_module libexec/mod_proxy_ftp.so
To determine if the reverse proxy is enabled, run the following command for all of the configuration files that define the running Apache 2.0 configuration:
    $ grep "ProxyPass" /etc/apache2/httpd.conf
    ProxyPass /foo http://foo.example.com/bar
3. Symptoms

If the first issue (CVE-2008-2364) is exploited, the Apache 2.0 web server may be unresponsive, possibly consuming all available CPU or
memory resources.

Commands such as prstat(1M) can be used to determine the utilization of system resources:
    $ prstat -s cpu
    [...]
There are no predictable symptoms that would indicate that the second issue (CVE-2008-2939) has been exploited.

4. Workaround

To work around the "mod_proxy_http" issue (CVE-2008-2364), make sure that the forward proxy is not enabled (see Note 3 in Section 2) in in the Apache 2 "httpd.conf" file.

To work around the "mod_proxy_ftp" issue (CVE-2008-2939), make sure that module "mod_proxy_ftp.so" is not loaded (see Note 4 in Section 2) in the Apache 2 "httpd.conf" file.

5. Resolution

These issues are addressed in the following releases:

SPARC Platform
  • Solaris 10 with patch 120543-12 or later
x86 Platform
  • Solaris 10 with patch 120544-12 or later
For more information on Security Sun Alerts, see 1009886.1.

This Sun Alert notification is being provided to you on an "AS IS" basis. This Sun Alert notification may contain information provided by third parties. The issues described in this Sun Alert notification may or may not impact your system(s). Sun makes no representations, warranties, or guarantees as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun proprietary and confidential information. It is being provided to you pursuant to the provisions of your agreement to purchase services from Sun, or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun Alert notification may only be used for the purposes contemplated by these agreements.

Copyright 2000-2008 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved.

Modification History
17-Dec-2008: Updated the Contributing Factors and Resolution sections. Resolved.


References
 120543-12

 120544-12



                            



Attachments
This solution has no attachment