Debian Bug report logs -
#570740
apache: log file injection
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>
:
Bug#570740
; Package apache2
.
(Sun, 21 Feb 2010 06:33:55 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Gilbert <michael.s.gilbert@gmail.com>
:
New Bug report received and forwarded. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>
.
(Sun, 21 Feb 2010 06:33:55 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: apache2
Severity: normal
Tags: security
Hi, the following issues were dislcosed in 2003 for apache, but they
just got CVE numbers a few days ago. I haven't checked whether the
latest version of apache2 is affected, and if it isn't, please close
this bug. The problem actually seems rather unimportant to me since the
real issue is input sanitization for any vulnerable apache log analyzer.
CVE-2003-1580[0]:
| The Apache HTTP Server 2.0.44, when DNS resolution is enabled for
| client IP addresses, uses a logging format that does not identify
| whether a dotted quad represents an unresolved IP address, which
| allows remote attackers to spoof IP addresses via crafted DNS
| responses containing numerical top-level domains, as demonstrated by a
| forged 123.123.123.123 domain name, related to an "Inverse Lookup Log
| Corruption (ILLC)" issue.
CVE-2003-1581[1]:
| The Apache HTTP Server 2.0.44, when DNS resolution is enabled for
| client IP addresses, allows remote attackers to inject arbitrary text
| into log files via an HTTP request in conjunction with a crafted DNS
| response, as demonstrated by injecting XSS sequences, related to an
| "Inverse Lookup Log Corruption (ILLC)" issue.
If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1580
http://security-tracker.debian.org/tracker/CVE-2003-1580
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1581
http://security-tracker.debian.org/tracker/CVE-2003-1581
Reply sent
to Stefan Fritsch <sf@sfritsch.de>
:
You have taken responsibility.
(Mon, 22 Feb 2010 20:42:16 GMT) (full text, mbox, link).
Notification sent
to Michael Gilbert <michael.s.gilbert@gmail.com>
:
Bug acknowledged by developer.
(Mon, 22 Feb 2010 20:42:16 GMT) (full text, mbox, link).
Message #10 received at 570740-done@bugs.debian.org (full text, mbox, reply):
Hi Michael,
I don't think there is anything in Apache that should be changed for
these issues. I will close the bug and mark them as unimportant in the
security tracker:
On Sunday 21 February 2010, Michael Gilbert wrote:
> CVE-2003-1580[0]:
> | The Apache HTTP Server 2.0.44, when DNS resolution is enabled for
> | client IP addresses, uses a logging format that does not identify
> | whether a dotted quad represents an unresolved IP address, which
> | allows remote attackers to spoof IP addresses via crafted DNS
> | responses containing numerical top-level domains, as demonstrated
> | by a forged 123.123.123.123 domain name, related to an "Inverse
> | Lookup Log Corruption (ILLC)" issue.
This doesn't seem much different from a PTR record pointing to an
arbitrary domain name. Both cases can be handled by doing double
reverse lookups. Apache does this if configured with "HostNameLookups
double". It should be well known that single reverse lookups are
unreliable, so I don't see a security issue here.
> CVE-2003-1581[1]:
> | The Apache HTTP Server 2.0.44, when DNS resolution is enabled for
> | client IP addresses, allows remote attackers to inject arbitrary
> | text into log files via an HTTP request in conjunction with a
> | crafted DNS response, as demonstrated by injecting XSS sequences,
> | related to an "Inverse Lookup Log Corruption (ILLC)" issue.
This is purely a log analyzer issue. Apache correctly escapes control
characters in hostnames. For everything else, the log analyzer is
responsible.
Cheers,
Stefan
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Apache Maintainers <debian-apache@lists.debian.org>
:
Bug#570740
; Package apache2
.
(Mon, 22 Feb 2010 21:12:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Gilbert <michael.s.gilbert@gmail.com>
:
Extra info received and forwarded to list. Copy sent to Debian Apache Maintainers <debian-apache@lists.debian.org>
.
(Mon, 22 Feb 2010 21:12:05 GMT) (full text, mbox, link).
Message #15 received at 570740@bugs.debian.org (full text, mbox, reply):
On Mon, 22 Feb 2010 21:37:40 +0100, Stefan Fritsch wrote:
> Hi Michael,
>
> I don't think there is anything in Apache that should be changed for
> these issues. I will close the bug and mark them as unimportant in the
> security tracker:
>
> On Sunday 21 February 2010, Michael Gilbert wrote:
> > CVE-2003-1580[0]:
> > | The Apache HTTP Server 2.0.44, when DNS resolution is enabled for
> > | client IP addresses, uses a logging format that does not identify
> > | whether a dotted quad represents an unresolved IP address, which
> > | allows remote attackers to spoof IP addresses via crafted DNS
> > | responses containing numerical top-level domains, as demonstrated
> > | by a forged 123.123.123.123 domain name, related to an "Inverse
> > | Lookup Log Corruption (ILLC)" issue.
>
> This doesn't seem much different from a PTR record pointing to an
> arbitrary domain name. Both cases can be handled by doing double
> reverse lookups. Apache does this if configured with "HostNameLookups
> double". It should be well known that single reverse lookups are
> unreliable, so I don't see a security issue here.
>
> > CVE-2003-1581[1]:
> > | The Apache HTTP Server 2.0.44, when DNS resolution is enabled for
> > | client IP addresses, allows remote attackers to inject arbitrary
> > | text into log files via an HTTP request in conjunction with a
> > | crafted DNS response, as demonstrated by injecting XSS sequences,
> > | related to an "Inverse Lookup Log Corruption (ILLC)" issue.
>
> This is purely a log analyzer issue. Apache correctly escapes control
> characters in hostnames. For everything else, the log analyzer is
> responsible.
i came to the same conclusions, and i've already marked the issues
unimportant in the tracker. my goal for the bug report was to get a
second opinion from someone more familiar with apache. thanks!
mike
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Tue, 23 Mar 2010 07:35:41 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:39:46 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.