New Apache PHP XSS Bug Displays Modified HTTP Request Text to Users

A researcher has discovered a cross-site scripting vulnerability caused by mishandling of a PHP header in Apache version 2.x. Upgrade PHP and review privileges for applications and services using it.

Background

Researcher Prashanth Varma posted PHP Bug #76582 for Apache version 2.x that details a cross-site scripting (XSS) bug which could allow an unauthenticated attacker to send a malicious POST request that echoes the embedded script in the body of the response. The Center for Internet Security (CIS) issued an advisory stating that PHP versions 7.2 (prior to 7.2.10), 7.1 (prior to 7.1.22), 7.0 (prior to 7.0.32) and 5.6 (prior to 5.6.38) are all vulnerable. This vulnerability has been assigned CVE-2018-17082.

Vulnerability details

Apache mishandles the “Transfer-Encoding: chunked” PHP header that normally sends data chunks to another host in a transfer request. When exploited, it displays text in an error window in the active browser session. The exploit requires a locally run script, but does not require user interaction or authentication to run. The attacker could include a malicious link in these error messages, opening the user up to further attack if clicked.

As with any XSS attack, unsanitized text could allow for arbitrary code execution beyond a simple error message. No instances of more sophisticated attacks have been seen at the time of this writing, but as time progresses, additional attacks could use this exploit as a vector.

Urgently required actions

Upgrade PHP to the latest version to ensure that assets have the latest security patches. We also recommend reviewing privileges and asset access of any apps or services that utilize PHP in order to understand what targets are at risk. And, as always, reinforce security awareness with users, so they know the risks of clicking on links in error messages. Clicking on new messages from trusted sites can be just as dangerous as clicking on messages from untrusted sources.

Identifying affected systems

Tenable has released the following plugins to scan for this vulnerability. Please note that our plugins look for the affected PHP versions without regards to the target’s platform in order to err on the side of caution. Even though this vulnerability only appears to affect Apache at this time, we recommend upgrading PHP to the latest version, even for users using other platforms that utilize PHP, in order to ensure maximum risk reduction.

Get more information

• Alert from the Center for Internet Security

Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.