PCI Compliance Expect Header Cross-Site Scripting Vulnerability (8443, plesk)
PCI compliance Expect Header Cross-Site Scripting Vulnerability
If you get the following warning in a PCI scan:
Security warning found on port/service "pcsync-https (8443/tcp)" Plugin "Expect Header Cross-Site Scripting Vulnerability" Category "CGI abuses : XSS " Priority "Medium Priority "Synopsis : The remote web server is vulnerable to a cross-site scripting attack. Description : The remote web server fails to sanitize the contents of an 'Expect' request header before using it to generate dynamic web content. An unauthenticated remote attacker may be able to leverage this issue to launch cross-site scripting attacks against the affected service, perhaps through specially-crafted ShockWave (SWF) files See also: http://archives.neohapsis.com/archives/bugtraq/2006-05/0151.html http://archives.neohapsis.com/archives/bugtraq/2006-05/0441.html http://archives.neohapsis.com/archives/bugtraq/2006-07/0425.html http://www.apache.org/dist/httpd/CHANGES_2.2 http://www.apache.org/dist/httpd/CHANGES_2.0 http://www.apache.org/dist/httpd/CHANGES_1.3 http://www-1.ibm.com/support/docview.wss?uid=swg1PK24631 http://www-1.ibm.com/support/docview.wss?uid=swg24017314 Solution : Check with the vendor for an update to the web server. For Apache, the issue is reportedly fixed by versions 1.3.35 / 2.0.57 / 2.2.2 for IBM HTTP Server, upgrade to 6.0.2.13 / 6.1.0.1 for IBM WebSphere Application Server, upgrade to 5.1.1.17. Risk factor : Medium / CVSS Base Score : 4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N) CVE: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-3918 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-5944 BID : 19661, 26457 Other references : OSVDB:27487, OSVDB:27488, OSVDB:38700
You can test it by connecting to the server / VPS and running:
openssl s_client -host localhost -port 8443
GET / HTTP/1.1
Host: localhost
EXPECT: <script>alert("xss")</script>
Then hit return
You should get:
HTTP/1.1 417 Expectation Failed
Date: Tue, 16 Feb 2010 18:42:30 GMT
Server: Apache
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
172
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>417 Expectation FailedExpectation Failed</H1>
The expectation given in the Expect request-header
field could not be met by this server.<P>
The client sent<PRE>
Expect: <script>alert ("xss")</script>
</PRE>
but we only allow the 100-continue expectation.
</BODY></HTML>
If you do the following:
To fix the vulnerability (returned error code may contain some script) it is recommended that you add option ErrorDocument into configuration of Apache service that serves Parallels Panel.
For that create file /usr/local/psa/admin/conf/httpsd.custom.include that contains the record:
ErrorDocument 417 “Expect not supported”
And then restart Plesk Apache service
service psa restart1
You should now get:
HTTP/1.1 417 Expectation Failed Date: Wed, 17 Feb 2010 10:13:19 GMT Server: Apache Transfer-Encoding: chunked Content-Type: text/html; charset=iso-8859-1 15 Expect not supported" 0
Related Posts
| Print article | This entry was posted by PB on February 22, 2010 at 08:49, and is filed under PCI. Follow any responses to this post through RSS 2.0. You can leave a response or trackback from your own site. |
about 1 month ago
It may be an old issue, but this helped out a lot. Saved me the trouble of upgrading Plesk! Thanks.