httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@rowe-clan.net>
Subject Re: XSS vulnerability in mod_negotiation - status in 2.2.8?
Date Tue, 05 Feb 2008 16:55:41 GMT
Joshua Slive wrote:
> On Feb 5, 2008 5:40 AM, Boyle Owen <Owen.Boyle@swx.com> wrote:
>> Greetings,
>>
>> Our security guy noticed this alert about a XSS vulnerability in
>> mod_negotiation: http://www.mindedsecurity.com/MSA01150108.html.
>> According to the link, it applies to apache <= 2.2.6, so no worries for
>> 2.2.8.

The author of that post was already advised this isn't a vulnerability.
As they want egg on their face for flailing their arms about, surely you
aren't surprised their notes wouldn't otherwise be correct with respect
to the applicable version, are you?

> If I remember correctly, the security does not consider this a
> vulnerability. To do the XSS you need control of filenames on the
> server. If you have that, you probably have much-more-straightforward
> ways to steal cookies.

Bingo.  If you can create a file, you can author a XSS page. There simply
is not a vulnerability here.

> There might be a very-few badly-configured sites that are vulnerable
> to this, so it should be fixed. But it is not a serious security
> issue.

Disagree; it is a flaw, the names should be escaped, but there's absolutely
no reason to fix this for 'vulnerable' sites, their misconfiguration is far
more insidious if it has permit this, and it's considered an XSS in their
context.

Bill

Mime
View raw message