TUCoPS :: Web :: Apache :: web5774.htm

Apache XSS
24th Oct 2002 [SBWID-5774]
COMMAND

	apache cross side scripting

SYSTEMS AFFECTED

	 <= apache-1.3.22-1.0.5   

	 <= apache-1.3.26-1.1.1  

	 <= apache-1.3.27-20021009

PROBLEM

	In OpenPKG Security Advisory :
	

	 http://www.openpkg.org/security.html

	

	

	--snip--
	

	Joe Orton  <jorton@redhat.com>  discovered  a  cross  site  scripting
	(XSS) bug [3] in mod_ssl [1],  the  SSL/TLS  component  for  the  Apache
	webserver [2]. Like the other recent Apache XSS bugs, this only  affects
	servers  using  a  combination  of  "UseCanonicalName  off"  (_not_  the
	default in OpenPKG package of Apache) and a wildcard  A  record  of  the
	server in the DNS. Although this combination for HTTPS servers  is  even
	less common than with plain HTTP servers, this nevertheless could  allow
	remote attackers to execute client-side script code as  other  web  page
	visitors via the HTTP "Host" header.
	

	--snip--
	

	  [1]  http://www.modssl.org/

	  [2]  http://httpd.apache.org/

	  [3]  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0840

	

SOLUTION

	Get either :
	

	 >= apache-1.3.22-1.0.6

	 >= apache-1.3.26-1.1.2

	 >= apache-1.3.27-20021023

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH