The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Apache httpd: reading an HttpOnly cookie

Synthesis of the vulnerability 

An attacker can use a malformed HTTP query, in order to generate a code 400 error, which displays user's HttpOnly cookies, so JavaScript code can access them.
Vulnerable software: Apache httpd, Debian, BIG-IP Hardware, TMOS, Fedora, OpenView NNM, HP-UX, Junos Space, Junos Space Network Management Platform, Mandriva Linux, openSUSE, Solaris, Trusted Solaris, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES.
Severity of this announce: 2/4.
Creation date: 27/01/2012.
Références of this computer vulnerability: BID-51706, c03231301, c03278391, CERTA-2012-AVI-225, CVE-2012-0053, DSA-2405-1, FEDORA-2012-1598, FEDORA-2012-1642, HPSBMU02748, HPSBUX02761, JSA10585, MDVSA-2012:012, openSUSE-SU-2012:0314-1, RHSA-2012:0128-01, RHSA-2012:0323-01, RHSA-2012:0542-01, RHSA-2012:0543-01, SOL15273, SOL15889, SSA:2012-041-01, SSRT100772, SSRT100823, SUSE-SU-2012:0284-1, SUSE-SU-2012:0323-1, VIGILANCE-VUL-11323.

Description of the vulnerability 

The HTTP Set-Cookie header defines a cookie. This header can also contain the HttpOnly attribute:
  Set-Cookie: v=abc; HttpOnly
This attribute indicates that this cookie cannot be accessed from JavaScript. This feature is supported since IE 6 SP1, Mozilla Firefox 3.0.0.6 and Opera 9.23, in order to protect a website against a Cross Site Scripting.

When Apache httpd receives a malformed HTTP query, (CONNECT with "authority", line larger than LimitRequestFieldSize, header without ':'), it returns a code 400 error page. If there is no default error page defined by ErrorDocument, Apache httpd dynamically generates this page. However, the generated page contains all headers, in order to help developers. Cookies are thus displayed inside the HTML, even if they have the HttpOnly attribute. As JavaScript code is allowed to read an HTML document, it can thus read the cookie.

An attacker can therefore use a malformed HTTP query, in order to generate a code 400 error, which displays user's HttpOnly cookies, so JavaScript code can access them.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer weakness announce impacts software or systems such as Apache httpd, Debian, BIG-IP Hardware, TMOS, Fedora, OpenView NNM, HP-UX, Junos Space, Junos Space Network Management Platform, Mandriva Linux, openSUSE, Solaris, Trusted Solaris, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES.

Our Vigil@nce team determined that the severity of this security alert is medium.

The trust level is of type confirmed by the editor, with an origin of document.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a specialist ability can exploit this vulnerability.

Solutions for this threat 

Apache httpd: version 2.2.22.
The version 2.2.22 is corrected:
  http://httpd.apache.org/download.cgi

Apache HTTP Server: version 2.0.65.
The version 2.0.65 is fixed:
  http://httpd.apache.org/download.cgi#apache20

Apache httpd: patch for HttpOnly.
A patch is available in information sources.

Debian: new apache2 packages.
New packages are available:
  apache2 2.2.9-10+lenny12
  apache2 2.2.16-6+squeeze6

F5 BIG-IP: fixed versions for HTTPOnly.
Fixed versions are indicated in information sources.

F5 BIG-IP: solution for Apache.
The solution is indicated in information sources.

Fedora: new httpd packages.
New packages are available:
  httpd-2.2.22-1.fc15
  httpd-2.2.22-1.fc16

HP OV NNM: hotfix SSRT100772.
Hotfix SSRT100772 is available.

HP-UX: Apache Web Server versions 2.35 and 3.23.
Versions 2.35 and 3.23 are corrected:
  HP-UX B.11.11 :
    https://h20392.www2.hp.com/portal/swdepot/try.do?productNumber=HPUXWSATW235
    revision B.2.0.64.03
  HP-UX B.11.23, B.11.31 :
    https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUXWSATW323
    revision B.2.2.15.12

Junos Space: version 13.1R1.6.
The version 13.1R1.6 is fixed.

Mandriva: new apache packages.
New packages are available:
  apache-2.2.22-0.1mdv2010.2
  apache-2.2.22-0.1-mdv2011.0
  apache-2.2.22-0.1mdvmes5.2

RHEL 5: new httpd packages.
New packages are available:
  httpd-2.2.3-63.el5_8.1

RHEL 6.2: new httpd packages.
New packages are available:
  httpd-2.2.15-15.el6_2.1

RHEL: new JBoss Enterprise Web Server packages.
New packages are available:
  httpd-2.2.17-15.4.ep5.el5
  httpd-2.2.17-15.4.ep5.el6
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=webserver&downloadType=securityPatches&version=1.0.2

Slackware: new httpd packages.
New packages are available:
  httpd-2.2.22-i486-1_slack12.0
  httpd-2.2.22-i486-1_slack12.1
  httpd-2.2.22-i486-1_slack13.0
  httpd-2.2.22-i486-1_slack13.1
  httpd-2.2.22-i486-1_slack13.37

Solaris 10: patch for Apache HTTP Server 2.
A patch is available:
  Solaris 10 :
    SPARC: 120543-28
    X86: 120544-28

Solaris 11: patch 11/11 SRU 6.6.
A patch is available:
  11/11 SRU 6.6 :
  https://support.oracle.com/CSP/main/article?type=NOT&id=1448432.1

Solaris 8, 9, 10: patch for Apache HTTP Server 1.3.
A patch is available:
  Solaris 8 :
   SPARC: 116973-10
   X86: 116974-10
  Solaris 9 :
    SPARC: 113146-15
    X86: 114145-14
  Solaris 10 :
    SPARC: 122911-30
    X86: 122912-30

SUSE: new apache2 packages.
New packages are available:
  openSUSE 11.4 : apache2-2.2.17-4.13.1
  SUSE LE 10 : apache2-2.2.3-16.44.1
  SUSE LE 11 : apache2-2.2.12-1.30.1
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a systems vulnerabilities database. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.