Quantcast
Channel: Tenable Blog
Viewing all articles
Browse latest Browse all 1935

New Apache PHP XSS Bug Displays Modified HTTP Request Text to Users

$
0
0

A researcher has discovered a cross-site scripting vulnerability caused by mishandling of a PHP header in Apache version 2.x. Upgrade PHP and review privileges for applications and services using it.

Background

Researcher Prashanth Varma posted PHP Bug #76582 for Apache version 2.x that details a cross-site scripting (XSS) bug which could allow an unauthenticated attacker to send a malicious POST request that echoes the embedded script in the body of the response. The Center for Internet Security (CIS) issued an advisory stating that PHP versions 7.2 (prior to 7.2.10), 7.1 (prior to 7.1.22), 7.0 (prior to 7.0.32) and 5.6 (prior to 5.6.38) are all vulnerable. At the time of publication, there is no CVE for this vulnerability.

Vulnerability details

Apache mishandles the “Transfer-Encoding: chunked” PHP header that normally sends data chunks to another host in a transfer request. When exploited, it displays text in an error window in the active browser session. The exploit requires a locally run script, but does not require user interaction or authentication to run. The attacker could include a malicious link in these error messages, opening the user up to further attack if clicked.

As with any XSS attack, unsanitized text could allow for arbitrary code execution beyond a simple error message. No instances of more sophisticated attacks have been seen at the time of this writing, but as time progresses, additional attacks could use this exploit as a vector.

Urgently required actions

Upgrade PHP to the latest version to ensure that assets have the latest security patches. We also recommend reviewing privileges and asset access of any apps or services that utilize PHP in order to understand what targets are at risk. And, as always, reinforce security awareness with users, so they know the risks of clicking on links in error messages. Clicking on new messages from trusted sites can be just as dangerous as clicking on messages from untrusted sources.

Identifying affected systems

Tenable will be releasing plugins to scan for this vulnerability shortly and will continue to monitor the situation. Even though this vulnerability only appears to affect Apache at this time, we recommend upgrading PHP to the latest version, even for users using other platforms that utilize PHP, to minimize risk.

Get more information

Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.


Viewing all articles
Browse latest Browse all 1935

Trending Articles