Bug 44014 - Fix XSS in error page #413
Summary: Fix XSS in error page #413
Status: RESOLVED FIXED
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: Core (show other bugs)
Version: 2.2.6
Hardware: Other All
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-12-03 06:50 UTC by Victor Stinner
Modified: 2009-03-11 13:26 UTC (History)
1 user (show)


Attachments
Fix the XSS (1.11 KB, patch)
2007-12-03 06:50 UTC, Victor Stinner 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Stinner 2007-12-03 06:50:40 UTC 
Procheckup just published a bug in Apache 2.2 which is not fixed in Apache 2.2 
branch of Subversion: http://procheckup.com/Vulnerability_PR07-37.php

I wrote a small patch to fix it.
Comment 1 Victor Stinner 2007-12-03 06:50:59 UTC 
Created attachment 21220 [details]
Fix the XSS
Comment 2 William A. Rowe Jr. 2007-12-03 11:56:47 UTC 
For a host of reasons, this is generally not exploitable in any usual case,
and would represent a very unusual client.  Quoting the "vulnerability" report;

"This type of attack can result in non-persistent defacement of the target site, 
or the redirection of confidential information (i.e. session IDs) to unauthorised 
third parties provided that a web browser is tricked to submit a malformed HTTP 
method."

Given that this is nonsense in the context of a web browser, no CVE will be
assigned, but thank you for the report, it is a bug worth fixing.  Proposed
for backport to 2.2 and 2.0.
Comment 3 Ben Ricker 2009-03-11 11:26:27 UTC 
Has this been backported to the 2.0.x branch? If so, what version what that done to? I am trying to track down if 2.0.x has had this bug fixed or not.
Comment 4 Eric Covener 2009-03-11 13:26:31 UTC 
fixed in 2.0.x revision 603713, released in 2.0.63:

http://www.apache.org/dist/httpd/CHANGES_2.0.63