Advisory: Padding Oracle in Apache mod_session_crypto During a penetration test, RedTeam Pentesting discovered a Padding Oracle vulnerability in mod_session_crypto of the Apache web server. This vulnerability can be exploited to decrypt the session data and even encrypt attacker-specified data. Details ======= Product: Apache HTTP Server mod_session_crypto Affected Versions: 2.3 to 2.5 Fixed Versions: 2.4.25 Vulnerability Type: Padding Oracle Security Risk: high Vendor URL: http://ift.tt/2inbjjq Vendor Status: fixed version released Advisory URL: http://ift.tt/2hPnwAx Advisory Status: published CVE: CVE-2016-0736 CVE URL: http://ift.tt/2inciA4 Introduction ============ The module mod_session_crypto of the Apache HTTP Server can be used in conjunction with the modules mod_session and mod_session_cookie to store session data in an encrypted cookie within the users' browsers. This avoids server-side session state so that incoming HTTP requests can be easily distributed amongst a number of application web servers which do not need to share session state. More Details ============ The module mod_session_crypto uses symmetric cryptography to encrypt and decrypt session data and uses mod_session to store the encrypted data in a cookie (usually called "session") within the user's browser. The decrypted session is then made available to the application in an environment variable (in case of a CGI script) or in a custom HTTP request header. The application can add a custom HTTP response header (usually "X-Replace-Session") which instructs the HTTP server to replace the session's content with the value of the header. Detailed instructions to set up mod_session and mod_session_crypto can be found in the documentation: http://ift.tt/2hPgHib The module mod_session_crypto is configured to use either 3DES or AES with various key sizes, defaulting to AES256. Encryption is handled by the function "encrypt_string": modules/session/mod_session_crypto.c
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment