Return-Path: <users-return-115571-archive-asf-public=cust-asf.ponee.io@httpd.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 1CEA4200C7D
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Tue,  2 May 2017 05:24:31 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id 1B65D160BC2; Tue,  2 May 2017 03:24:31 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 3B71B160BC1
	for <archive-asf-public@cust-asf.ponee.io>; Tue,  2 May 2017 05:24:30 +0200 (CEST)
Received: (qmail 4065 invoked by uid 500); 2 May 2017 03:24:25 -0000
Mailing-List: contact users-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@httpd.apache.org
list-help: <mailto:users-help@httpd.apache.org>
list-unsubscribe: <mailto:users-unsubscribe@httpd.apache.org>
List-Post: <mailto:users@httpd.apache.org>
List-Id: <users.httpd.apache.org>
Delivered-To: mailing list users@httpd.apache.org
Received: (qmail 3924 invoked by uid 99); 2 May 2017 03:24:25 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 02 May 2017 03:24:25 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id 21E28C08FB
	for <users@httpd.apache.org>; Tue,  2 May 2017 03:24:25 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: 1.678
X-Spam-Level: *
X-Spam-Status: No, score=1.678 tagged_above=-999 required=6.31
	tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
	HTML_MESSAGE=2, KAM_NUMSUBJECT=0.5, RCVD_IN_DNSWL_LOW=-0.7,
	RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01,
	RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=disabled
Authentication-Results: spamd1-us-west.apache.org (amavisd-new);
	dkim=pass (2048-bit key) header.d=citi.com
Received: from mx1-lw-us.apache.org ([10.40.0.8])
	by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024)
	with ESMTP id VK60GuYBQOrw for <users@httpd.apache.org>;
	Tue,  2 May 2017 03:24:18 +0000 (UTC)
Received: from mx0a-00123c01.pphosted.com (mx-a.mail.citi.com [67.231.145.106])
	by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id 6CBAE5F2FD
	for <users@httpd.apache.org>; Tue,  2 May 2017 03:24:18 +0000 (UTC)
Received: from pps.filterd (m0083710.ppops.net [127.0.0.1])
	by mx0a-00123c02.pphosted.com (8.16.0.17/8.16.0.17) with SMTP id v423N7S2030038
	for <users@httpd.apache.org>; Tue, 2 May 2017 03:24:11 GMT
Received: from mail.citigroup.com (smtpoutbound.citigroup.com [192.193.222.17])
	by mx0a-00123c02.pphosted.com with ESMTP id 2a609uvae1-1
	(version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT)
	for <users@httpd.apache.org>; Tue, 02 May 2017 03:24:11 +0000
Received: from imbhub-mw34.nam.nsroot.net (imbhub-mw34.nam.nsroot.net [144.215.196.152])
	by smtpinbound.citigroup.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.2.2) with ESMTP id v423OA8P032498
	for <users@httpd.apache.org>; Tue, 2 May 2017 03:24:10 GMT
Received: from imbdlprt-mw03.nam.nsroot.net (imbdlprt-mw03.nam.nsroot.net [144.215.116.192])
	by imbhub-mw34.nam.nsroot.net (Sentrion-MTA-4.3.1/Sentrion-MTA-4.2.2) with ESMTP id v423O9fg000487
	for <users@httpd.apache.org>; Tue, 2 May 2017 03:24:10 GMT
Received: from imbdlpbuf-mw01.nam.nsroot.net (namdlpdimpnj07.nam.nsroot.net [150.110.210.39])
	by imbdlprt-mw03.nam.nsroot.net (Sentrion-MTA-4.3.1/Sentrion-MTA-4.2.2) with ESMTP id v423KG5A010417
	for <users@httpd.apache.org>; Tue, 2 May 2017 03:24:09 GMT
Received: from EXGTIHT04.nam.nsroot.net (EXGTIHT04.nam.nsroot.net [169.171.127.31])
	by imbdlpbuf-mw01.nam.nsroot.net (Sentrion-MTA-4.3.1/Sentrion-MTA-4.2.2) with ESMTP id v423O4rN031568
	for <users@httpd.apache.org>; Tue, 2 May 2017 03:24:04 GMT
Received: from EXLGTHT22.lac.nsroot.net (169.171.82.78) by
 EXGTIHT04.nam.nsroot.net (169.171.127.31) with Microsoft SMTP Server (TLS) id
 14.3.319.2; Mon, 1 May 2017 22:24:04 -0500
Received: from EXGTMB46.nam.nsroot.net ([169.254.2.238]) by
 EXLGTHT22.lac.nsroot.net ([169.171.82.78]) with mapi id 14.03.0319.002; Mon,
 1 May 2017 22:24:02 -0500
From: "Hagan, Mark " <haganm@citi.com.INVALID>
To: "'users@httpd.apache.org'" <users@httpd.apache.org>
Thread-Topic: XSS Issue in v2.0.59
Thread-Index: AdLC833XO/wnZTprSZCmDhM+FgQbIw==
Date: Tue, 2 May 2017 03:24:01 +0000
Message-ID: <4DCD416180243D458C6FF3893DD8194B99BE26AC@EXGTMB46.nam.nsroot.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [169.171.82.20]
x-wiganss: 01000000010018EXLGTHT22.lac.nsroot.net
	ID0042<4DCD416180243D458C6FF3893DD8194B99BE26AC@EXGTMB46.nam.nsroot.net>
Content-Type: multipart/alternative;
	boundary="_000_4DCD416180243D458C6FF3893DD8194B99BE26ACEXGTMB46namnsro_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2017-05-02_01:,,
 signatures=0
Subject: [users@httpd] XSS Issue in v2.0.59
archived-at: Tue, 02 May 2017 03:24:31 -0000

--_000_4DCD416180243D458C6FF3893DD8194B99BE26ACEXGTMB46namnsro_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Hello All,

Looking for some help to determine if I can configure Apache 2.0.59 to addr=
ess a couple Cross Site Scripting (XSS) vulnerabilities. I'm not able to up=
grade to a later version, so I'm trying to understand if there is functiona=
lity within this version to address the XSS issue.


I have 2 specific issues:

1. Validating input (whitelisting acceptable characters)

2. Sanitizing or encoding output (For instance, the character < would be en=
coded as &lt; which would be displayed by the browser as the "less-than" ch=
aracter instead of being interpreted as the start
of an HTML tag.)


I am not an experienced apache administrator, so any help would be most app=
reciated.


Thanks.




--_000_4DCD416180243D458C6FF3893DD8194B99BE26ACEXGTMB46namnsro_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:=
//www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"=
>
<meta name=3D"Generator" content=3D"Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
	{font-family:Verdana;
	panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:11.0pt;
	font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
span.EmailStyle17
	{mso-style-type:personal-compose;
	font-family:"Calibri","sans-serif";
	color:windowtext;}
span.postbody1
	{mso-style-name:postbody1;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-family:"Calibri","sans-serif";}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=3D"EN-US" link=3D"blue" vlink=3D"purple">
<div class=3D"WordSection1">
<p class=3D"MsoNormal"><span class=3D"postbody1"><span style=3D"font-size:8=
.5pt;font-family:&quot;Verdana&quot;,&quot;sans-serif&quot;;color:#333333">=
Hello All,
</span></span><span style=3D"font-size:8.5pt;font-family:&quot;Verdana&quot=
;,&quot;sans-serif&quot;;color:#333333"><br>
<br>
<span class=3D"postbody1">Looking for some help to determine if I can confi=
gure Apache 2.0.59 to address a couple Cross Site Scripting (XSS) vulnerabi=
lities. I'm not able to upgrade to a later version, so I'm trying to unders=
tand if there is functionality within
 this version to address the XSS issue. </span><br>
<br>
<br>
<span class=3D"postbody1">I have 2 specific issues: </span><br>
<br>
<span class=3D"postbody1">1. Validating input (whitelisting acceptable char=
acters) </span>
<br>
<br>
<span class=3D"postbody1">2. Sanitizing or encoding output (For instance, t=
he character &lt; would be encoded as &amp;lt; which would be displayed by =
the browser as the &#8220;less-than&#8221; character instead of being inter=
preted as the start
</span><br>
<span class=3D"postbody1">of an HTML tag.) </span><br>
<br>
<br>
<span class=3D"postbody1">I am not an experienced apache administrator, so =
any help would be most appreciated.<o:p></o:p></span></span></p>
<p class=3D"MsoNormal"><span class=3D"postbody1"><span style=3D"font-size:8=
.5pt;font-family:&quot;Verdana&quot;,&quot;sans-serif&quot;;color:#333333">=
<o:p>&nbsp;</o:p></span></span></p>
<p class=3D"MsoNormal"><span class=3D"postbody1"><span style=3D"font-size:8=
.5pt;font-family:&quot;Verdana&quot;,&quot;sans-serif&quot;;color:#333333">=
<o:p>&nbsp;</o:p></span></span></p>
<p class=3D"MsoNormal"><span class=3D"postbody1"><span style=3D"font-size:8=
.5pt;font-family:&quot;Verdana&quot;,&quot;sans-serif&quot;;color:#333333">=
Thanks.<o:p></o:p></span></span></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
</body>
</html>

--_000_4DCD416180243D458C6FF3893DD8194B99BE26ACEXGTMB46namnsro_--