On 3/31/25 21:44, Enxin Xie wrote:
[...]
Description:
Private Data Structure Returned From A Public Method vulnerability in Apache
Answer.
This issue affects Apache Answer: through 1.4.2.
If a user uses an externally referenced image, when a user accesses this image,
the provider of the image may obtain private information about the ip address
of that accessing user.
Users are recommended to upgrade to version 1.4.5, which fixes the issue. In
the new version, administrators can set whether external content can be
displayed.
This hits two major pet peeves of mine:
First, only versions through 1.4.2 are vulnerable, but the issue was
fixed in 1.4.5? What about 1.4.3 and 1.4.4?
Second, the short description is *not* an accurate summary of the
issue: there is no public method that returns a private data structure
here. The possibility of planting a web bug (this is an ancient issue
and the reason better email clients block references to remote media by
default) is *different* from Apache Answer *itself* exposing a public
method that leaks private data.
This issue is more akin to XSS, except that web bugs are older than
JavaScript. The "leaked" IP address originates from the *user's*
machine making a connection to retrieve an untrusted resource. Perhaps
"same origin" should have been imposed on images, but it is not.
-- Jacob
