In association with heise online

17 January 2008, 17:54

Cross-site scripting vulnerabilities in multiple Apache modules

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Vulnerabilities have been found in multiple modules for the Apache web server, used by over half the world's web sites. Three modules are affected by cross-site scripting vulnerabilities, while a fourth could allow a denial of service attack. The affected modules include mod_status, mod_proxy_ftp, mod_proxy_balancer, mod_autoindex (Apache 1.3.x only) and mod_imagemap. In the case of mod_status, for example, addition of a semicolon allows injection of an additional URL. In principle the bug could also be exploited for redirects to phishing websites, or allow an attacker to execute JavaScript in a victim's browser. The problem is caused by inadequate filtering of arguments or URLs. Apache versions 1.3.x, 2.0.x and 2.2.x are affected.

The vulnerabilities, none of which are classed as critical, are fixed in Apache versions 2.2.7-dev, 1.3.40-dev and 2.0.62-dev. Linux distributors such as Red Hat and Mandriva have already released bug-fixed versions of these modules.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit