A vulnerability exists in the SSI error pages of Apache 2.0 that involves incorrect filtering of server signature data. The vulnerability could enable an attacker to hijack web sessions, allowing a range of potential compromises on the targeted host.
This particular attack involves a lack of filtering on HTTP/1.1 "Host" headers, sent by most recent browsers. The vulnerability occurs because Apache does not filter maliciously malformed headers containing HTML markup before passing them onto the browser as entity data.
The following URL will demonstrate the attack: http://%3CIMG%20SRC%3D%22%22%20ONERROR%3D%22alert%28document%2Ecookie%29%22%3E.apachesite.org/raise_404
Some browsers submit the malicious host header when parsing this request:
Apache returns this malicious host in the form of a server signature:
<ADDRESS>Apache/2.0.39 Server at <IMG SRC="" ONERROR="alert(document.cookie)">.apachesite.org</ADDRESS>
Cross-site scripting vulnerabilities are often assumed small, useless exposures that are not worth much attention. This is a false assumption -- depending on the applications installed, a successful privilege escalation via XSS can result in complete compromise of a web server, or other sensitive systems. Further, the privacy risks from XSS holes are severe -- many users will be far less inclined to visit a site that may accidentally cough up their personal information to an attacker.