KB Article #156106

Vulnerability scan reports (CVE-2012-0053)

Problem

 

Apache HTTP Server 2.2.x through 2.2.21 does not properly restrict header information during construction of Bad Request (aka 400) error documents, which allows remote attackers to obtain the values of HTTPOnly cookies(CVE-2012-0053)

Resolution

The End User UI (httpd) does not use "httpOnly" cookies at all so it is not vulnerable to CVE-2012-0053. The Admin UI (admind) can be remediated by configuring custom ErrorDocument 400. In order to pass PCI compliance scan you might need to place the ErrorDocument directive in both admin.conf and httpd.conf.

One example on how to do this is:

  1. Open ${FILEDRIVEHOME}/conf/admin.conf
  2. Locate the following text:
    HostnameLookups Off
  3. Add the following line:

    ErrorDocument 400 "<html><body> 400 Bad Request! The request could not be understood by the server due to malformed syntax. The client SHOULD NOT repeat the request without modifications </body></html>"
  4. Restart admind by using the following commands:
    ${FILEDRIVEHOME}/bin/stop_admin
    ${FILEDRIVEHOME}/bin/start_admin


* Please note that the Apache server included in SecureTransport doesn’t allow ErrorDocument directive to specify a custom html file, for instance ${FILEDRIVEHOME}/share/htdocs/html/errordocument400.html, so the custom page has to be included in ${FILEDRIVEHOME}/conf/admin.conf