[Zope] unprotected VHM usage may facilitate cache poisoning

Jeff Youel jyouel-lists@youel.net
03 Feb 2003 10:25:35 -0800


On Mon, 2003-02-03 at 02:22, Jamie Heilman wrote:
> Letting anonymous clients send tainted requests to a VHM enabled site
> is not a good idea, and should be guarded against.  A tainted request
> in this case is one whose URI contains the substrings
> "/VirtualHostBase/", "/VirtualHostRoot/", or "/_vh_".  For unprotected
> sites using VHMs, letting an anonymous client send URIs containing
> those substrings will result in the returned document rendered in the
> context of an appropriately mangled traversal request name stack.
> Usually if that mangling results in a bunch of broken URLs in the
> document its no big deal.[1]  It is a big deal though, if you're using
> a cache, and that request results in a cache miss--then that broken
> document gets stored as the response for subsequent requests.  Oops.
> 

Thanks for pointing this out.

> I've verified this can be a problem when using RAM Caches, I haven't
> tried external caches, depending on how they key the content it may
> or may not be a problem.
> 

For Squid, I don't think this is a problem because it keys the cache by
URL (really md5(URL)).  But, if someone comes up with an exploit using
the VHM keywords, you can setup ACL rules to 403 them.  These rules
worked for me (using squid + pyredir):

	acl VHM urlpath_regex /VirtualHostBase/
	acl VHM urlpath_regex /VirtualHostRoot/
	acl VHM urlpath_regex /_vh_/
	http_access deny VHM

Thanks,
Jeff