httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joshua Slive" <>
Subject Re: XSS vulnerability in mod_negotiation - status in 2.2.8?
Date Tue, 05 Feb 2008 15:13:36 GMT
On Feb 5, 2008 5:40 AM, Boyle Owen <> wrote:
> Greetings,
> Our security guy noticed this alert about a XSS vulnerability in
> mod_negotiation:
> According to the link, it applies to apache <= 2.2.6, so no worries for
> 2.2.8.
> However, when I double-check the changelog for 2.2.8
> ( there is no specific
> mention of a patch in mod_negotiation...
> From a quick inspection of the source code, there was no change to
> mod_negotiation.c between 2.2.6 and 2.2.8 so can I conclude that the
> vulnerability is still present in 2.2.8? (ie, can it have been handled
> at a higher level?)

If I remember correctly, the security does not consider this a
vulnerability. To do the XSS you need control of filenames on the
server. If you have that, you probably have much-more-straightforward
ways to steal cookies.

There might be a very-few badly-configured sites that are vulnerable
to this, so it should be fixed. But it is not a serious security


View raw message