Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Preemptive Protection against Apache HTTP Server 413 Error Page Cross-Site Scripting Vulnerability

Subscribe

Check Point Reference: CPAI-2007-135
Date Published:
Severity:
Source: Secunia Advisory: SA27906
Industry Reference(s): CVE-2007-6203
Protection Provided by: VPN-1
  • NGX R65
  • NGX R62
  • NGX R61
  • NGX R60
VSX
  • NGX
InterSpect
  • NGX
Who is Vulnerable?
Apache version 2.0.46 (Red Hat)
Apache version 2.0.51 (Fedora)
Apache version 2.0.55 (Ubuntu)
Apache version 2.0.59 (Unix)
Apache version 2.2.3 (FreeBSD)
Apache version 2.2.4 (Linux/SUSE)
Vulnerability Description
A cross-site scripting (XSS) vulnerability exists in Apache HTTP Server. Apache is a popular web server available for a wide variety of operating systems. Successful exploitation of this vulnerability could result in arbitrary scripting code execution by the user's browser in the context of an affected site.
Vulnerability Details
The vulnerability is due to an input validation error in Apache that fails to properly handle malformed HTTP requests when displaying "413 Request Entity Too Large" error messages. A remote attacker may inject arbitrary HTML or JavaScript into the response received from the server. Successful exploitation of this issue may allow the attacker to execute arbitrary scripting code on the vulnerable system.

Protection Overview
By enabling this protection, SmartDefense will detect and block illegel HTTP headers. No update is required to address this vulnerability.

To configure the defense, select your product from the list below and follow the related protection steps.

VPN-1 NGX R65 & R62

How Can I Protect My Network?
1. In the SmartDefense tab, click Web Intelligence > HTTP Protocol Inspection > HTTP Methods.
2. In the configuration pane, under Settings > Mode, check Active.
3. In the HTTP Protocol Inspection configuration pane select:

Enforce strict HTTP request parsing

4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Malformed HTTP
Attack Information: Error parsing HTTP sub-header

VPN-1 NGX R61 & R60

How Can I Protect My Network?
1. In the Web Intelligence tree, click HTTP Protocol Inspection and enable HTTP Methods.
2. In the HTTP Protocol Inspection configuration pane select the following:

Enforce strict HTTP request parsing

3. Install security policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Malformed HTTP
Attack Information: Error parsing HTTP sub-header

InterSpect NGX

How Can I Protect My Network?
1. In the left pane, select Profiles > Default Protection and select the Web Intelligence page of the profile.
2. In the Web Intelligence tree, click HTTP Protocol Inspection and enable HTTP Methods.
3. In the HTTP Protocol Inspection configuration pane select the following:

Enforce strict HTTP request parsing

4. Install security policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Malformed HTTP
Attack Information: Error parsing HTTP sub-header

Connectra NGX R62 & R61

How Can I Protect My Network?
1. In the left-hand menu, click Security > Web Intelligence.
2. In the HTTP Protocol Inspection pane, select the following protections:

HTTP Format
Block unsafe HTTP methods

3. Install policy on all modules.

How Do I Know if My Network is Under Attack?
In case of an attack, the following log entries will be displayed:

Attack Name: Malformed HTTP
Attack Information: Error parsing HTTP sub-header