httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jor...@apache.org
Subject svn commit: r556941 - in /httpd/httpd/branches/2.2.x: CHANGES modules/generators/mod_status.c
Date Tue, 17 Jul 2007 15:10:12 GMT
Author: jorton
Date: Tue Jul 17 08:10:05 2007
New Revision: 556941

URL: http://svn.apache.org/viewvc?view=rev&rev=556941
Log:
Merge r549159 from trunk:

Fix CVE-2006-5752:

* modules/generators/mod_status.c (status_handler): Specify charset in
content-type to prevent browsers doing charset "detection", which
allows an XSS attack.  Use logitem-escaping on the request string to
make it charset-neutral.

Reported by: Stefan Esser <sesser hardened-php.net>
Submitted by: jorton
Reviewed by: jorton, fuankg, rpluem

Modified:
    httpd/httpd/branches/2.2.x/CHANGES
    httpd/httpd/branches/2.2.x/modules/generators/mod_status.c

Modified: httpd/httpd/branches/2.2.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?view=diff&rev=556941&r1=556940&r2=556941
==============================================================================
--- httpd/httpd/branches/2.2.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.2.x/CHANGES [utf-8] Tue Jul 17 08:10:05 2007
@@ -11,6 +11,11 @@
      be forced to kill processes outside its process group. 
      [Joe Orton, Jim Jagielski]
 
+  *) SECURITY: CVE-2006-5752 (cve.mitre.org)
+     mod_status: Fix a possible XSS attack against a site with a public
+     server-status page and ExtendedStatus enabled, for browsers which
+     perform charset "detection".  Reported by Stefan Esser.  [Joe Orton]
+
   *) mod_cache: Do not set Date or Expires when they are missing from
      the original response or are invalid.  [Justin Erenkrantz]
 

Modified: httpd/httpd/branches/2.2.x/modules/generators/mod_status.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/generators/mod_status.c?view=diff&rev=556941&r1=556940&r2=556941
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/generators/mod_status.c (original)
+++ httpd/httpd/branches/2.2.x/modules/generators/mod_status.c Tue Jul 17 08:10:05 2007
@@ -270,7 +270,7 @@
     if (r->method_number != M_GET)
         return DECLINED;
 
-    ap_set_content_type(r, "text/html");
+    ap_set_content_type(r, "text/html; charset=ISO-8859-1");
 
     /*
      * Simple table-driven form data set parser that lets you alter the header
@@ -299,7 +299,7 @@
                     no_table_report = 1;
                     break;
                 case STAT_OPT_AUTO:
-                    ap_set_content_type(r, "text/plain");
+                    ap_set_content_type(r, "text/plain; charset=ISO-8859-1");
                     short_report = 1;
                     break;
                 }
@@ -673,7 +673,8 @@
                                ap_escape_html(r->pool,
                                               ws_record->client),
                                ap_escape_html(r->pool,
-                                              ws_record->request),
+                                              ap_escape_logitem(r->pool,
+                                                                ws_record->request)),
                                ap_escape_html(r->pool,
                                               ws_record->vhost));
                 }
@@ -763,7 +764,8 @@
                                    ap_escape_html(r->pool,
                                                   ws_record->vhost),
                                    ap_escape_html(r->pool,
-                                                  ws_record->request));
+                                                  ap_escape_logitem(r->pool, 
+                                                                    ws_record->request)));
                 } /* no_table_report */
             } /* for (j...) */
         } /* for (i...) */



Mime
View raw message