[Plugins-writers] www_expect_xss.nasl FP [PATCH]

• Previous message: Renaud Deraison: "Re: [Plugins-writers] Problems with Pread()"
• Next in thread: George A. Theall: "Re: [Plugins-writers] www_expect_xss.nasl FP [PATCH]"
• Reply: George A. Theall: "Re: [Plugins-writers] www_expect_xss.nasl FP [PATCH]"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,

the exploit string used in this plugin cannot detect whether the remote Apache is
vulnerable to the CVE-2006-3918 Expect header XSS issue. The plugin currently sends
"Expect: www_expect_xss.nasl testing for BID 19661". If this is seen in the 417
Expectation Failed response, the plugin fires.

The fix in Apache was to add quoting, not to omit the Expect completely. So on
Apache 2.2.3, this exploit string is echoed back unchanged, and the plugin fires
incorrectly.

To do a proper test, the exploit string needs to contain something that will be quoted,
e.g. angle brackets.

A patch that would fix the plugin is:

--- /usr/lib/nessus/plugins/www_expect_xss.nasl 2006-09-12 17:28:33.000000000 +0100
+++ ./www_expect_xss.nasl       2006-09-13 15:07:39.000000000 +0100
@@ -75,7 +75,7 @@


 # Generate a request to exploit the flaw.
-exploit = string(SCRIPT_NAME, " testing for BID 19661");
+exploit = string(SCRIPT_NAME, " testing for BID 19661 <test>");
 req = string(
   "GET / HTTP/1.1\r\n",
   "Accept: */*\r\n",



Example result on a vulnerable Apache:

Server: Apache/1.3.33 (Unix) PHP/5.0.3 mod_perl/1.29 mod_ssl/2.8.22 OpenSSL/0.9.7e
Keep-Alive: timeout=15, max=200
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1

1ca
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>417 Expectation Failed</TITLE>
</HEAD><BODY>
<H1>Expectation Failed</H1>
The expectation given in the Expect request-header
field could not be met by this server.<P>
The client sent<PRE>
    Expect: www_expect_xss.nasl testing for BID 19661 <test>


Example on a fixed Apache:

Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.7a
Content-Length: 406
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>417 Expectation Failed</title>
</head><body>
<h1>Expectation Failed</h1>
<p>The expectation given in the Expect request-header
field could not be met by this server.</p>
<p>The client sent<pre>
    Expect: www_expect_xss.nasl testing for BID 19661 &lt;test&gt;




-- 
Hubert Seiwert

Internet Security Specialist, Westpoint Ltd
Albion Wharf, 19 Albion Street, Manchester M1 5LN, United Kingdom

Web: www.westpoint.ltd.uk
Tel: +44-161-2371028
_______________________________________________
Plugins-writers mailing list
Plugins-writers@private
http://mail.nessus.org/mailman/listinfo/plugins-writers

• Previous message: Renaud Deraison: "Re: [Plugins-writers] Problems with Pread()"
• Next in thread: George A. Theall: "Re: [Plugins-writers] www_expect_xss.nasl FP [PATCH]"
• Reply: George A. Theall: "Re: [Plugins-writers] www_expect_xss.nasl FP [PATCH]"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Wed Sep 13 2006 - 07:37:37 PDT