httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <jor...@redhat.com>
Subject Re: svn commit: r549159 - in /httpd/httpd/trunk: CHANGES modules/generators/mod_status.c
Date Wed, 18 Jul 2007 13:46:40 GMT
On Wed, Jul 18, 2007 at 08:25:59AM -0400, Jeff Trawick wrote:
> On 6/20/07, jorton@apache.org <jorton@apache.org> wrote:
> >Author: jorton
> >Date: Wed Jun 20 10:29:24 2007
> >New Revision: 549159
> >
> >URL: http://svn.apache.org/viewvc?view=rev&rev=549159
> >Log:
> >Fix CVE-2006-5752:
> >
> >* modules/generators/mod_status.c (status_handler): Specify charset in
> >content-type to prevent browsers doing charset "detection", which
> >allows an XSS attack.  Use logitem-escaping on the request string to
> >make it charset-neutral.
> 
> assert(
> 
> The part of the fix that addresses the vulnerability is providing the
> charset; the escaping change is just for predictable display.  So the
> following is a simple, understandable circumvention.
> 
> <Location /server-status>
> SetHandler server-status
> AddDefaultCharset ISO-8859-1
> ...
> </Location>
> 
> ) ???

That's all correct, yes, sorry if the wording is not clear above. The 
logitem-escaping stuff is just to ensure the status output really is 
plain ISO-8859-1, a cosmetic change not necessary to fixing the 
vulnerability.

joe

Mime
View raw message