Apache HTTP Server XSS Vulnerability (March 8, 2013)

The Apache HTTP Server, commonly referred to as Apache, is a web server software notable for playing a key role in the initial growth of the World Wide Web. In 2009 it became the first web server software to surpass the 100 million website milestone. The application is available for a wide variety of operating systems, including Unix, FreeBSD, Linux, Solaris, Novell NetWare, OS X, Microsoft Windows, OS/2, TPF, and eComStation. Released under the Apache License, Apache is open-source software.

Apache supports a variety of features, many implemented as compiled modules which extend the core functionality. These can range from server-side programming language support to authentication schemes. Some common language interfaces support Perl, Python, Tcl, and PHP. Popular authentication modules include mod_access, mod_auth, mod_digest, and mod_auth_digest, the successor to mod_digest. Another example of the official plug-in modules is the mod_proxy_balancer module. As all other modules, it can be compiled as a separate shared library with a “.so” extension. The purpose of this module is to let Apache HTTP server run as a load balancing proxy server.

Mod_proxy_balancer when combined with mod_status provides a web interface called balancer-manager that enables dynamic updating of balancer members. You can use balancer-manager to change the balance factor for a particular member, or put it in off line mode.

A URL has the following generic format:

 ://[:port]/[path][filename][?][#] 

A cross-site scripting vulnerability exists in the way mod_proxy_balancer module of Apache HTTP server handles the URL string for the balancer-manager web interface. The flaw is due to insufficient sanitation of the URL. A remote attacker can exploit this vulnerability by enticing a user to view a specially crafted webpage or link. Successful exploitation could result in the malicious script code executing in the client’s browser, within the security context of the Web-site.

The vendor, Apache, has released an advisory addressing this vulnerability on 2/25/2013. Dell SonicWALL UTM team has researched this vulnerability and covered it with a generic XSS detection signature:

• 6753 Cross-Site Scripting (XSS) Attack 8

This vulnerability was assigned by CVE as CVE-2012-4558.

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.