HeLL SeXy

Konu: Apache
Apache'nin çapraz site betik çalıştırma açığından etkileniyor. Açık SSI hata sayfalarının kötü amaçlı HTML kodlarına karşı doğru olarak kontrol edilmememisinden kaynaklanıyor.
Saldırgan tarafından sağlanan HTML ve script kodu web sunucusunu ziyaret eden web istemcisinde çalıştırılabilir.

Bu tipteki saldırılar saldırganların web içeriğini değiştirebilmesine veya çerez-tabanlı kimlik tanılama bilgilerini çalabilmesine yol açabiliyor.

örnek:
http://%3CIMG%20SRC%3D%22%22%20ONER...%2Ecookie%29%22
%3E.apachesite.org/raise_404

Çözüm:
Oracle yamaların metalink sitesinde yakında hazır olacağını duyurdu.
FreeBSD güncellemeler çıkardı.
HP bir güvenlik bülteni yayınladı. HP-UX müşterilerinin aşağıdaki adresten Apache 1.3.27.00'ı çekmesi öneriliyor:
http://www.software.hp.com/ISS_products_list.html
Debian apache-perl paketleri güncellemeleri ile ilgili DSA 195-1 nolu güvenlik bültenini yayınladı.
SGI yama bilgilerini içeren bir bülten yayınladı. Kullanıcıların SGI IRIX 6.5.19'a güncellemeleri ve Apache 1.3.27'yi kurmaları tavsiye ediliyor.

kaynak: http://online.securityfocus.com/bid/5847


Açığı gerçekleştirme

Yerel:

Hayır

Uzaktan:

Evet

Etkilenen Sistemler

Etkilenenler:

Apache Software Foundation Apache 1.3
- Microsoft Windows 2000 Workstation
- Microsoft Windows NT 4.0
Apache Software Foundation Apache 1.3.1
Apache Software Foundation Apache 1.3.3
+ RedHat Linux 5.2 alpha
+ RedHat Linux 5.2 i386
+ RedHat Linux 5.2 sparc
Apache Software Foundation Apache 1.3.4
+ BSDI BSD/OS 4.0
Apache Software Foundation Apache 1.3.6
+ Sun Cobalt ManageRaQ3 3000R-mr
+ Sun Cobalt RaQ3 3000R
+ Sun Cobalt Velociraptor
Apache Software Foundation Apache 1.3.9
+ Debian Linux 2.2
+ Debian Linux 2.2 68k
+ Debian Linux 2.2 alpha
+ Debian Linux 2.2 arm
+ Debian Linux 2.2 powerpc
+ Debian Linux 2.2 sparc
+ Netscreen NetScreen-Global PRO Express Policy Manager Server
+ Netscreen NetScreen-Global PRO Policy Manager Server
- Sun Solaris 8.0
- Sun Solaris 8.0 _x86
Apache Software Foundation Apache 1.3.11
Apache Software Foundation Apache 1.3.12
+ Netscreen NetScreen-Global PRO Express Policy Manager Server
+ Netscreen NetScreen-Global PRO Policy Manager Server
+ OpenBSD OpenBSD 2.8
+ RedHat Linux 6.2 alpha
+ RedHat Linux 6.2 i386
+ RedHat Linux 6.2 sparc
+ RedHat Linux 7.0 alpha
+ RedHat Linux 7.0 i386
+ S.u.S.E. Linux 7.0
+ S.u.S.E. Linux 7.0 sparc
+ Sun Cobalt ManageRaQ v2 3599BD
+ Sun Cobalt Qube3 4000WG
+ Sun Cobalt RaQ XTR 3500R
+ Sun Cobalt RaQ4 3001R
Apache Software Foundation Apache 1.3.14
+ EnGarde Secure Linux 1.0.1
+ MandrakeSoft Linux Mandrake 7.1
+ MandrakeSoft Linux Mandrake 7.2
- MandrakeSoft Single Network Firewall 7.2
+ SGI IRIX 6.5
+ SGI IRIX 6.5.1
+ SGI IRIX 6.5.2
+ SGI IRIX 6.5.3
+ SGI IRIX 6.5.4
+ SGI IRIX 6.5.5
+ SGI IRIX 6.5.6
+ SGI IRIX 6.5.7
+ SGI IRIX 6.5.8
+ SGI IRIX 6.5.9
+ SGI IRIX 6.5.10
+ SGI IRIX 6.5.11
Apache Software Foundation Apache 1.3.17
+ MandrakeSoft Corporate Server 1.0.1
+ MandrakeSoft Linux Mandrake 8.0
+ MandrakeSoft Linux Mandrake 8.0 ppc
+ OpenBSD OpenBSD 2.8
+ S.u.S.E. Linux 7.1
Apache Software Foundation Apache 1.3.18
Apache Software Foundation Apache 1.3.19
- Apple MacOS X 10.0.3
- Caldera OpenLinux 2.4
+ Debian Linux 2.3
- Digital (Compaq) TRU64/DIGITAL UNIX 4.0 f
- Digital (Compaq) TRU64/DIGITAL UNIX 4.0 g
- Digital (Compaq) TRU64/DIGITAL UNIX 5.0
+ EnGarde Secure Linux 1.0.1
- FreeBSD FreeBSD 3.5.1
- FreeBSD FreeBSD 4.2
- HP HP-UX 10.20
- HP HP-UX 11.0
- HP HP-UX 11.0 4
- HP HP-UX 11.11
+ HP Secure OS software for Linux 1.0
- HP VirtualVault 4.5
- MandrakeSoft Linux Mandrake 7.1
- MandrakeSoft Linux Mandrake 7.2
- MandrakeSoft Linux Mandrake 8.0
+ MandrakeSoft Linux Mandrake 8.1
- NetBSD NetBSD 1.5
- NetBSD NetBSD 1.5.1
- OpenBSD OpenBSD 2.8
+ OpenBSD OpenBSD 2.9
+ OpenBSD OpenBSD 3.0
- RedHat Linux 6.2
- RedHat Linux 7.0
- RedHat Linux 7.1
+ S.u.S.E. Linux 6.4
+ S.u.S.E. Linux 6.4 alpha
+ S.u.S.E. Linux 6.4 i386
+ S.u.S.E. Linux 6.4 ppc
+ S.u.S.E. Linux 7.0
+ S.u.S.E. Linux 7.0 alpha
+ S.u.S.E. Linux 7.0 i386
+ S.u.S.E. Linux 7.0 ppc
+ S.u.S.E. Linux 7.0 sparc
+ S.u.S.E. Linux 7.1
+ S.u.S.E. Linux 7.1 alpha
+ S.u.S.E. Linux 7.1 ppc
+ S.u.S.E. Linux 7.1 sparc
+ S.u.S.E. Linux 7.1 x86
+ S.u.S.E. Linux 7.2
+ S.u.S.E. Linux 7.2 i386
- SCO eDesktop 2.4
- SCO eServer 2.3.1
- SGI IRIX 6.5.8
- SGI IRIX 6.5.9
- Sun Solaris 7.0
- Sun Solaris 8.0
Apache Software Foundation Apache 1.3.20
- HP HP-UX 11.20
- HP HP-UX 11.22
+ MandrakeSoft Single Network Firewall 7.2
+ S.u.S.E. Linux 7.3
+ S.u.S.E. Linux 7.3 i386
+ S.u.S.E. Linux 7.3 ppc
+ S.u.S.E. Linux 7.3 sparc
+ SGI IRIX 6.5.12
+ SGI IRIX 6.5.12 f
+ SGI IRIX 6.5.12 m
+ SGI IRIX 6.5.13
+ SGI IRIX 6.5.13 f
+ SGI IRIX 6.5.13 m
+ SGI IRIX 6.5.14
+ SGI IRIX 6.5.14 f
+ SGI IRIX 6.5.14 m
+ SGI IRIX 6.5.15
+ SGI IRIX 6.5.16
+ SGI IRIX 6.5.17
+ SGI IRIX 6.5.18
+ Slackware Linux 8.0
+ Sun Cobalt Control Station 4100CS
Apache Software Foundation Apache 1.3.22
+ Caldera OpenLinux Server 3.1
+ Caldera OpenLinux Server 3.1.1
+ Caldera OpenLinux Workstation 3.1
+ Caldera OpenLinux Workstation 3.1.1
+ Conectiva Linux 6.0
+ Conectiva Linux 7.0
+ Conectiva Linux 8.0
+ MandrakeSoft Corporate Server 1.0.1
+ MandrakeSoft Linux Mandrake 7.2
+ MandrakeSoft Linux Mandrake 8.0
+ MandrakeSoft Linux Mandrake 8.0 ppc
+ MandrakeSoft Linux Mandrake 8.1
+ MandrakeSoft Linux Mandrake 8.1 ia64
+ OpenPKG OpenPKG 1.0
+ RedHat Linux 6.2 alpha
+ RedHat Linux 6.2 i386
+ RedHat Linux 6.2 sparc
+ RedHat Linux 7.0 alpha
+ RedHat Linux 7.0 i386
+ RedHat Linux 7.1 alpha
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1 ia64
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.2 ia64
+ Sun Solaris 8.0
+ Sun Solaris 8.0 _x86
+ Sun Solaris 9.0
Apache Software Foundation Apache 1.3.23
- IBM AIX 4.3
+ MandrakeSoft Linux Mandrake 8.2
+ MandrakeSoft Linux Mandrake 8.2 ppc
+ RedHat Linux 7.3
+ RedHat Linux 7.3 i386
+ S.u.S.E. Linux 8.0
+ S.u.S.E. Linux 8.0 i386
+ Trustix Secure Linux 1.1
+ Trustix Secure Linux 1.2
+ Trustix Secure Linux 1.5
Apache Software Foundation Apache 1.3.24
+ OpenBSD OpenBSD 3.1
+ Oracle Oracle 9i Application Server 1.0.2
+ Oracle Oracle 9i Application Server 1.0.2 .1s
+ Oracle Oracle 9i Application Server 1.0.2 .2
+ Oracle Oracle 9i Application Server 9.0.2
+ Oracle Oracle HTTP Server 9.0.1
+ Oracle Oracle HTTP Server 9.2 .0
+ Slackware Linux 8.1
+ Unisphere Networks SDX-300 2.0.3
Apache Software Foundation Apache 1.3.25
Apache Software Foundation Apache 1.3.26
+ Conectiva Linux 6.0
+ Conectiva Linux 7.0
+ Conectiva Linux 8.0
+ MandrakeSoft Linux Mandrake 9.0
+ OpenPKG OpenPKG 1.1
+ Trustix Secure Linux 1.1
+ Trustix Secure Linux 1.2
+ Trustix Secure Linux 1.5
Apache Software Foundation Apache 2.0
Apache Software Foundation Apache 2.0.28
Apache Software Foundation Apache 2.0.32
Apache Software Foundation Apache 2.0.35
Apache Software Foundation Apache 2.0.36
Apache Software Foundation Apache 2.0.37
Apache Software Foundation Apache 2.0.38
Apache Software Foundation Apache 2.0.39
Apache Software Foundation Apache 2.0.40
Apache Software Foundation Apache 2.0.41
Apache Software Foundation Apache 2.0.42
+ Gentoo Linux 1.2
+ Gentoo Linux 1.4 _rc1
HP HP-UX 11.0
HP HP-UX 11.11
HP HP-UX 11.20
HP HP-UX 11.22
Oracle Oracle 8i Enterprise Edition 8.1.7 .1.0
Oracle Oracle 8i Enterprise Edition 8.1.7 .0.0
Oracle Oracle 9i Application Server 1.0.2 .2
Oracle Oracle 9i Application Server 1.0.2 .1s
Oracle Oracle 9i Application Server 1.0.2
Oracle Oracle 9i Application Server 9.0.2 release 2
Oracle Oracle 9i Application Server 9.0.2
Oracle Oracle 9iAS Reports 9.0.2 .1
Oracle Oracle8 8.1.7
- Microsoft Windows 2000 Workstation
Oracle Oracle8i 8.1.7 .1
Oracle Oracle8i 8.1.7
Oracle Oracle9i 9.0
Oracle Oracle9i 9.0.1 .3
Oracle Oracle9i 9.0.1 .2
Oracle Oracle9i 9.0.1
Oracle Oracle9i 9.0.2
Oracle Oracle9i Release 2 9.2 .2
Oracle Oracle9i Release 2 9.2 .1
Oracle Oracle9iAS Reports 9.0.2

Etkilenmeyenler:

Apache Software Foundation Apache 1.3.27
+ SGI IRIX 6.5.19
Apache Software Foundation Apache 2.0.43