httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joshua Slive <jos...@slive.ca>
Subject Re: cross-site scripting
Date Fri, 05 Apr 2002 21:53:28 GMT

On Fri, 5 Apr 2002, McIrvin wrote:

> Does anyone know how the cross-site scripting issue has been addressed in
> the current (1.3.24) release of Apache? The last reference to this problem
> was back in version 1.3.12 I think. I was reminded of this as Nessus still
> points it out as a security hole in Apache.
>
> Any news on the state of this vulnerability?

This never really was a vulnerability in Apache.  Apache did a few things
that made it easier to expose, but those were fixed long ago.  The real
vulnerability is in dynamic content generators like CGI scripts, SSI
pages, PHP scripts, etc.

See:
http://httpd.apache.org/info/css-security/

Joshua.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message