Apache Web Server MIME Boundary远程信息泄露漏洞

漏洞信息详情

Apache Web Server MIME Boundary远程信息泄露漏洞

• CNNVD编号：CNNVD-200312-297
• 危害等级： 中危
  
  
• CVE编号：
  CVE-2003-1418
  
• 漏洞类型：
  
  
  信息泄露
  
• 发布时间：
  
  2003-02-24
  
• 威胁类型：
  
  
  远程
  
• 更新时间：
  
  2003-12-31
  
• 厂        商：
  
  apache
• 漏洞来源：

Apache是一款流行的开放源代码httpd服务程序。
Apache Web服务程序在生成MIME消息边界(message boundaries)时存在问题，远程攻击者可以利用这个漏洞获得服务器敏感信息。
Apache的把系统敏感信息用在生成的MIME消息边界中，因此攻击者可以在返回信息中获得这些敏感信息，可以进一步对系统进行攻击。OpenBSD提供了补丁使用BASE64编码的随机号来生成MIME边界。
＜*链接：http：//www.openbsd.org/errata.html
*＞

临时解决方法：
如果您不能立刻安装补丁或者升级，CNNVD建议您采取以下措施以降低威胁：

* 使用OpenBSD发布的安全补丁：

ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.2/common/008_httpd.patch

Apply by doing:

cd /usr/src

patch -p0 < 008_httpd.patch

And then rebuild and install httpd and it’s modules:

cd usr.sbin/httpd

make -f Makefile.bsd-wrapper obj

make -f Makefile.bsd-wrapper depend

make -f Makefile.bsd-wrapper

make -f Makefile.bsd-wrapper install

If httpd had been started, you might want to run

apachectl stop

apachectl start

afterwards.

Index: usr.sbin/httpd/src/main/http_main.c

===================================================================

RCS file: /cvs/src/usr.sbin/httpd/src/main/http_main.c,v

retrieving revision 1.25.2.1

retrieving revision 1.25.2.2

diff -u -p -r1.25.2.1 -r1.25.2.2

— usr.sbin/httpd/src/main/http_main.c 8 Nov 2002 00:04:04 -0000 1.25.2.1

+++ usr.sbin/httpd/src/main/http_main.c 24 Feb 2003 02:09:38 -0000 1.25.2.2

@@ -1,4 +1,4 @@

-/* $OpenBSD: http_main.c,v 1.25.2.1 2002/11/08 00:04:04 jason Exp $ */

+/* $OpenBSD: http_main.c,v 1.25.2.2 2003/02/24 02:09:38 margarida Exp $ */

/* ====================================================================

* The Apache Software License, Version 1.1

@@ -5176,6 +5176,7 @@ static void standalone_main(int argc, ch

}

ap_set_version(); /* create our server_version string */

ap_init_modules(pconf, server_conf);

+ ap_init_etag(pconf);

version_locked++; /* no more changes to server_version */

if(!is_graceful && !is_chrooted)

Index: usr.sbin/httpd/src/main/http_protocol.c

===================================================================

RCS file: /cvs/src/usr.sbin/httpd/src/main/http_protocol.c,v

retrieving revision 1.13

retrieving revision 1.13.2.1

diff -u -p -r1.13 -r1.13.2.1

— usr.sbin/httpd/src/main/http_protocol.c 19 Jul 2002 21:31:16 -0000 1.13

+++ usr.sbin/httpd/src/main/http_protocol.c 24 Feb 2003 02:09:39 -0000 1.13.2.1

@@ -1,3 +1,4 @@

+/* $OpenBSD: http_protocol.c,v 1.13.2.1 2003/02/24 02:09:39 margarida Exp $ */

/* ====================================================================

* The Apache Software License, Version 1.1

*

@@ -76,6 +77,7 @@

#include “util_date.h” /* For parseHTTPdate and BAD_DATE */

#include

#include “http_conf_globals.h”

+#include “ap_sha1.h”

#define SET_BYTES_SENT(r) \

do { if (r->sent_bodyct) \

@@ -276,7 +278,10 @@ static int byterange_boundary(request_re

API_EXPORT(int) ap_set_byterange(request_rec *r)

{

const char *range, *if_range, *match;

+ char *bbuf, *b;

+ u_int32_t rbuf[12]; /* 48 bytes yields 64 base64 chars */

long length, start, end, one_start = 0, one_end = 0;

+ size_t u;

int ranges, empty;

if (!r->clength || r->assbackwards)

@@ -322,8 +327,20 @@ API_EXPORT(int) ap_set_byterange(request

* caller will perform if we return 1.

*/

r->range = range;

– r->boundary = ap_psprintf(r->pool, “%lx%lx”,

– r->request_time, (long) getpid());

+ for (u = 0; u < sizeof(rbuf)/sizeof(rbuf[0]); u++)

+ rbuf[u] = htonl(arc4random());

+

+ bbuf = ap_palloc(r->pool, ap_base64encode_len(sizeof(rbuf)));

+ ap_base64encode(bbuf, (const unsigned char *)rbuf, sizeof(rbuf));

+ for (b = bbuf; *b != ‘\0’; b++) {

+ if (((b – bbuf) + 1) % 7 == 0)

+ *b = ‘-‘;

+ else if (!isalnum(*b))

+ *b = ‘a’;

+ }

+

+ r->boundary = bbuf;

+

length = 0;

ranges = 0;

empty = 1;

@@ -646,7 +663,7 @@ API_EXPORT(int) ap_meets_conditions(requ

* could be modified again in as short an interval. We rationalize the

* modification time we’re given to keep it from being in the future.

*/

-API_EXPORT(char *) ap_make_etag(request_rec *r, int force_weak)

+API_EXPORT(char *) ap_make_etag_orig(request_rec *r, int force_weak)

{

char *etag;

char *weak;

@@ -3106,4 +3123,164 @@ API_EXPORT(void) ap_send_error_response(

ap_kill_timeout(r);

ap_finalize_request_protocol(r);

ap_rflush(r);

+}

+

+/*

+ * The shared hash context, copies of which are used by all children for

+ * etag generation. ap_init_etag() must be called once before all the

+ * children are created. We use a secret hash initialization value

+ * so that people can’t brute-force inode numbers.

+ */

+static AP_SHA1_CTX baseCtx;

+

+int ap_create_etag_state(pool *pconf)

+{

+ u_int32_t rnd;

+ unsigned int u;

+ int fd;

+ const char* filename;

+

+ filename = ap_server_root_relative(pconf, “logs/etag-state”);

+ ap_server_strip_chroot(filename, 0);

+

+ if ((fd = open(filename, O_CREAT|O_WRONLY|O_TRUNC|O_NOFOLLOW, 0640)) ==

+ -1) {

+ ap_log_error(APLOG_MARK, APLOG_CRIT, NULL,

+ “could not create %s”, filename);

+ exit(-1);

+ }

+

+ if (fchown(fd, -1, ap_group_id) == -1) {

+ ap_log_error(APLOG_MARK, APLOG_CRIT, NULL,

+ “could not chown %s”, filename);

+ exit(-1);

+ }

+

+ /* generate random bytes and write them */

+ for (u = 0; u < 4; u++) {

+ rnd = arc4random();

+ if (write(fd, &rnd, sizeof(rnd)) == -1) {

+ ap_log_error(APLOG_MARK, APLOG_CRIT, NULL,

+ “could not write to %s”, filename);

+ exit(-1);

+ }

+ }

+

+ close (fd);

+}

+

+API_EXPORT(void) ap_init

来源: BID
名称: 6943
链接:http://www.securityfocus.com/bid/6943

来源: XF
名称: apache-mime-information-disclosure(11438)
链接:http://xforce.iss.net/xforce/xfdb/11438

来源: BID
名称: 6939
链接:http://www.securityfocus.com/bid/6939

来源: OPENBSD
名称: [3.2] 008: SECURITY FIX: February 25, 2003
链接:http://www.openbsd.org/errata32.html

来源：NSFOCUS
名称：4469※4470※4484
链接：http://www.nsfocus.net/vulndb/4469※4470※4484