On 9/22/06, Birol Ertekin <birol@...> wrote:
> Has anybody tried stopping Apache Expect Header XSS vulnerability with
Apologies for my slow response - it's been very busy lately.
> I tried these two filters, but they did not work:
> SecFilterSelective HEADERS_NAMES
The above is the correct approach. There is a problem with Apache,
however, that it gives special treatment to the Expect header. It will
deal with it before giving control to ModSecurity. This problem
affects only ModSecurity 1.x. In ModSecurity 2.x there are two request
phases, and one of those two happens very early, before Apache
processes the Expect header. So the following works when executed as
part of the early phase:
# Configure defaults
# Reject invalid Expect headers
SecRule REQUEST_HEADERS:Expect !^100-[cC]ontinue$
However, let's go back to ModSecurity 1.9.x. There are two ways to
deal with this problem. First, compiling with -DENABLE_EARLY_HOOK (it
makes the request processing phase happen much earlier, at the same
time as phase 1 in ModSecurity 2.x) would probably work but this is an
experimental switch and I generally wouldn't recommend it.
However, I noticed Apache responds with status code 417 when an Expect
problem occurs. This is nice because you can simply add:
ErrorDocument 417 "Expect problem"
and you will have solved the XSS problem. (The above replaces the
default error page with "Expect problem").