Apache mod_disk_cache模块客户端验证信息存储漏洞-一一网

漏洞信息详情

Apache mod_disk_cache模块客户端验证信息存储漏洞

CNNVD编号：CNNVD-200403-091

危害等级：低危
CVE编号：
CVE-2004-1834
漏洞类型：

设计错误
发布时间：

2004-03-20
威胁类型：

本地
更新时间：

2005-10-20
厂商：

apache
漏洞来源：
Andreas Steinmetz※…

漏洞简介

Apache是一款开放源代码流行的Httpd服务程序。
Apache包含的mod_disk_cache模块存在信息泄露问题，远程攻击者可以利用这个漏洞获得客户端验证的敏感信息。
mod_disk_cache模块把所有客户端验证信息存储在磁盘上，问题存在于modules/experimental/mod_disk_cache.c代码中的write_headers()函数：
========================================================================
/* Parse the vary header and dump those fields from the headers_in. */
/* Make call to the same thing cache_select_url calls to crack Vary. */
/* @@@ Some day， not today. */
if (r-＞headers_in) {
~ int i;
~ apr_table_entry_t *elts = (apr_table_entry_t *)
~ apr_table_elts(r-＞headers_in)-＞elts;
~ for (i = 0; i ＜ apr_table_elts(r-＞headers_in)-＞nelts; ++i) {
~ if (elts[i].key != NULL) {
~ buf = apr_pstrcat(r-＞pool， elts[i].key， \”： \”， elts[i].val，
~ CRLF， NULL);
~ amt = strlen(buf);
~ apr_file_write(hfd， buf，＆amt);
~ }
~ }
~ buf = apr_pstrcat(r-＞pool， CRLF， NULL);
~ amt = strlen(buf);
~ apr_file_write(hfd， buf，＆amt);
}
========================================================================
所有r-＞headers_in字段写入到磁盘上，这个字段包含所有客户端的验证信息。因此攻击者可以借此获得一些验证的明文密码等信息。

漏洞公告

临时解决方法：
如果您不能立刻安装补丁或者升级，CNNVD建议您采取以下措施以降低威胁：

* Andreas Steinmetz <ast@domdv.de>提供的第三方补丁如下：

diff -rNu httpd-2.0.49.orig/modules/experimental/cache_util.c httpd-2.0.49/modules/experimental/cache_util.c

— httpd-2.0.49.orig/modules/experimental/cache_util.c 2004-02-09 21:53:16.000000000

+0100

+++ httpd-2.0.49/modules/experimental/cache_util.c 2004-03-20 15:55:51.000000000 +0100

@@ -516,3 +516,25 @@

apr_table_unset(headers_out, “Upgrade”);

return headers_out;

}

+/* Create a new table consisting of those elements from a request_rec’s

+ * headers_in that are allowed to be stored in a cache.

+ */

+CACHE_DECLARE(apr_table_t *)ap_cache_cacheable_hdrs_in(request_rec *r)

+ /* Make a copy of the request headers, and remove from

+ * the copy any hop-by-hop headers, as defined in Section

+ * 13.5.1 of RFC 2616

+ */

+ apr_table_t *headers_in;

+ headers_in = apr_table_copy(r->pool, r->headers_in);

+ apr_table_unset(headers_in, “Connection”);

+ apr_table_unset(headers_in, “Keep-Alive”);

+ apr_table_unset(headers_in, “Proxy-Authenticate”);

+ apr_table_unset(headers_in, “Proxy-Authorization”);

+ apr_table_unset(headers_in, “TE”);

+ apr_table_unset(headers_in, “Trailers”);

+ apr_table_unset(headers_in, “Transfer-Encoding”);

+ apr_table_unset(headers_in, “Upgrade”);

+ return headers_in;

diff -rNu httpd-2.0.49.orig/modules/experimental/mod_cache.h httpd-2.0.49/modules/experimental/mod_cache.h

— httpd-2.0.49.orig/modules/experimental/mod_cache.h 2004-02-09 21:53:16.000000000

+0100

+++ httpd-2.0.49/modules/experimental/mod_cache.h 2004-03-20 15:55:51.000000000 +0100

@@ -238,6 +238,11 @@

CACHE_DECLARE(apr_table_t *)ap_cache_cacheable_hdrs_out(apr_pool_t *pool, apr_table_t

*t);

+/* Create a new table consisting of those elements from a request_rec’s

+ * headers_in that are allowed to be stored in a cache

+ */

+CACHE_DECLARE(apr_table_t *)ap_cache_cacheable_hdrs_in(request_rec *r);

/**

* cache_storage.c

diff -rNu httpd-2.0.49.orig/modules/experimental/mod_disk_cache.c httpd-2.0.49/modules/experimental/mod_disk_cache.c

— httpd-2.0.49.orig/modules/experimental/mod_disk_cache.c 2004-02-09 21:53:16.000000000

+0100

+++ httpd-2.0.49/modules/experimental/mod_disk_cache.c 2004-03-20 15:55:51.000000000

+0100

@@ -600,8 +600,9 @@

/* @@@ Some day, not today. */

if (r->headers_in) {

int i;

– apr_table_entry_t *elts = (apr_table_entry_t *) apr_table_elts(r->headers_in)-

>elts;

– for (i = 0; i < apr_table_elts(r->headers_in)->nelts; ++i) {

+ apr_table_t* headers_in = ap_cache_cacheable_hdrs_in(r);

+ apr_table_entry_t *elts = (apr_table_entry_t *) apr_table_elts(headers_in)-

>elts;

+ for (i = 0; i < apr_table_elts(headers_in)->nelts; ++i) {

if (elts[i].key != NULL) {

buf = apr_pstrcat(r->pool, elts[i].key, “: “, elts[i].val, CRLF,

NULL);

amt = strlen(buf);
厂商补丁：
Apache Software Foundation
————————–
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

http://www.apache.org/” target=”_blank”>
http://www.apache.org/

参考网址

来源: XF
名称: apache-moddiskcache-obtain-info(15547)
链接:http://xforce.iss.net/xforce/xfdb/15547

来源: BID
名称: 9933
链接:http://www.securityfocus.com/bid/9933

来源: OSVDB
名称: 4446
链接:http://www.osvdb.org/4446

来源: SECTRACK
名称: 1009509
链接:http://securitytracker.com/id?1009509

来源: SECUNIA
名称: 11176
链接:http://secunia.com/advisories/11176

来源: OVAL
名称: oval:org.mitre.oval:def:11133
链接:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:11133

来源: BUGTRAQ
名称: 20040319 Apache mod_disk_cache stores client authentication credentials on disk
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=107981737322495&w=2

来源: REDHAT
名称: RHSA-2004:562
链接:http://www.redhat.com/support/errata/RHSA-2004-562.html

来源: VUPEN
名称: ADV-2006-0789
链接:http://www.frsirt.com/english/advisories/2006/0789

来源: support.avaya.com
链接:http://support.avaya.com/elmodocs2/security/ASA-2006-081.htm

来源: SUNALERT
名称: 102198
链接:http://sunsolve.sun.com/search/document.do?assetkey=1-26-102198-1

来源: SECUNIA
名称: 19072
链接:http://secunia.com/advisories/19072