A serious vulnerability has been identified in the current SSL (Version 3) and TLS (Version 1) whereby an attacker is able to issue commands to the server that appear to be coming from a legitimate source, by exploiting a flaw in the SSL renegotiation method.
As an example, lets try the following HTTP request..;
GET /path/to/index.php HTTP/1.0 Dummy-Header: GET /index.php HTTP/1.0 Cookie: sessionCookie=Token
The good news is that although an attacker can execute the request and pass through arbitrary data, he will not be able to see the response. However, the originating client will see something different from what was initially requested.
We have done some testing with web firewalls such as modsecurity and have yet to find a way to block such requests. Looks like we will need to wait for upstream patches, particularly Apache, Microsoft and possibly a temporary release from modsecurity.
To track the exploit, see http://www.kb.cert.org/vuls/id/120541
Rob Greenwood, Technical Lead
This entry was posted on Thursday, November 12th, 2009 at 2:57 pm and is filed under Dedicated Servers, Melbourne News. You can follow any responses to this entry through the RSS 2.0 feed. Responses are currently closed, but you can trackback from your own site.