httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joshua Slive" <jos...@slive.ca>
Subject Re: XSS vulnerability in mod_negotiation - status in 2.2.8?
Date Tue, 05 Feb 2008 15:13:36 GMT
On Feb 5, 2008 5:40 AM, Boyle Owen <Owen.Boyle@swx.com> wrote:
> Greetings,
>
> Our security guy noticed this alert about a XSS vulnerability in
> mod_negotiation: http://www.mindedsecurity.com/MSA01150108.html.
> According to the link, it applies to apache <= 2.2.6, so no worries for
> 2.2.8.
>
> However, when I double-check the changelog for 2.2.8
> (http://www.apache.org/dist/httpd/CHANGES_2.2.8) there is no specific
> mention of a patch in mod_negotiation...
>
> From a quick inspection of the source code, there was no change to
> mod_negotiation.c between 2.2.6 and 2.2.8 so can I conclude that the
> vulnerability is still present in 2.2.8? (ie, can it have been handled
> at a higher level?)

If I remember correctly, the security does not consider this a
vulnerability. To do the XSS you need control of filenames on the
server. If you have that, you probably have much-more-straightforward
ways to steal cookies.

There might be a very-few badly-configured sites that are vulnerable
to this, so it should be fixed. But it is not a serious security
issue.

Joshua.

Mime
View raw message