=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2008/VULN598
_____________________________________________________________________

DATE                      : 17/12/2008

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Solaris 10 running mod_proxy_http for Apache
                                2.0, mod_proxy_ftp for Apache 2.0.

======================================================================
http://sunsolve.sun.com/search/document.do?assetkey=1-66-247666-1
______________________________________________________________________

Solution Type Sun Alert
Solution  247666 :   Security Vulnerabilities in the Apache 2.0
"mod_proxy_http" and "mod_proxy_ftp" Modules may Lead to Denial of Service
(DoS) or Cross Site Scripting (XSS)

Bug ID
6725791, 6737160

Product
Solaris 10 Operating System

Date of Workaround Release
15-Dec-2008

SA Document Body
Security Vulnerabilities in the Apache 2.0 "mod_proxy_http" and
"mod_proxy_ftp" modules:

1. Impact

Two security vulnerabilities have been found in the Apache HTTP server that
affect the Apache 2.0 web server bundled with Solaris 10:

1. A  Denial of Service (DoS) vulnerability in the "mod_proxy_http" Apache
server module (CVE-2008-2364), may allow a remote unprivileged user who is in
control of a web server to which requests may be proxied, to cause a denial
of service to the Apache "httpd" process (or potentially to the system as a
whole as the application may consume excessive resources).

2. A  Cross Site Scripting (CSS or XSS) vulnerability in the "mod_proxy_ftp"
Apache server module (CVE-2008-2939), may allow a remote unprivileged user
to inject arbitrary web script or HTML. This may allow the unprivileged user
to bypass access control and gain access
to unauthorized data.

These issues are described in the following documents:

CVE-2008-2364 at:
    * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2364

CVE-2008-2939 at:
    * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2939

2. Contributing Factors

These issues can occur in the following releases:

SPARC Platform
    * Solaris 10 without patch

x86 Platform
    * Solaris 10

Note 1: Solaris 8 and Solaris 9 do not include support for Apache 2.0 web
server and therefore are not  impacted by these issues.

Note 2: A system is only vulnerable to the described issues if the Apache
2.0 web server has been configured and is running on the system.
To determine if the Apache 2.0 web server is enabled, the following SMF
command can be used:

    $ svcs svc:/network/http:apache2
    STATE          STIME    FMRI
    disabled       Feb_02   svc:/network/http:apache2

Note 3: The "mod_proxy_http" vulnerability (CVE-2008-2364) only affects
systems that enable a forward proxy.  This feature is disabled by default and
is very rarely used. To determine if  the forward proxy is enabled, run the
following command for all of the configuration files that define the running
Apache 2.0 configuration:

    $ grep "ProxyRequests" /etc/apache2/httpd.conf
    ProxyRequests On

Note 4: "The mod_proxy_ftp" vulnerability (CVE-2008-2939) only affects
systems that enable FTP over HTTP proxying, and a forward proxy (see note 3)
or a reverse proxy is enabled. To determine if the FTP over HTTP proxying is
enabled, run the following command for all of the configuration files that
define the running Apache 2.0 configuration:

    $ grep "mod_proxy_ftp" /etc/apache2/httpd.conf
    LoadModule proxy_ftp_module libexec/mod_proxy_ftp.so

To determine if the reverse proxy is enabled, run the following command for
all of the configuration files that define the running Apache 2.0
configuration:

    $ grep "ProxyPass" /etc/apache2/httpd.conf
    ProxyPass /foo http://foo.example.com/bar

3. Symptoms

If the first issue (CVE-2008-2364) is exploited, the Apache 2.0 web server
may be unresponsive, possibly consuming all available CPU or
memory resources.

Commands such as prstat(1M) can be used to determine the utilization of
system resources:

    $ prstat -s cpu
    [...]

There are no predictable symptoms that would indicate that the second issue
(CVE-2008-2939) has been exploited.

4. Workaround

To work around the "mod_proxy_http" issue (CVE-2008-2364), make sure that
the forward proxy is not enabled (see Note 3 in Section 2) in in the Apache
2 "httpd.conf" file.

To work around the "mod_proxy_ftp" issue (CVE-2008-2939), make sure that
module "mod_proxy_ftp.so" is not loaded (see Note 4 in Section 2) in the
Apache 2 "httpd.conf" file.

5. Resolution

A final resolution is pending completion.

For more information on Security Sun Alerts, see Technical Instruction ID
213557.

This Sun Alert notification is being provided to you on an "AS IS" basis.
This Sun Alert notification may contain information provided by third parties.
The issues described in this Sun Alert notification may or may not impact
your system(s). Sun makes no representations, warranties, or guarantees as to
the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING
THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY
DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE
OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun
Alert notification contains Sun proprietary and confidential information. It
is being provided to you pursuant to the provisions of your agreement to
purchase services from Sun, or, if you do not have such an agreement, the
Sun.com Terms of Use. This Sun Alert notification may only be used for the
purposes contemplated by these agreements.

Copyright 2000-2008 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
CA 95054 U.S.A. All rights reserved.


======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================