OSVDB ID: 40262

Title: Apache HTTP Server mod_status refresh XSS

Info

Disclosure
Jan 10, 2008

Discovery
Unknown

Dates

Exploit
Unknown

Solution
Jan 19, 2008

Description

 Apache HTTP Server contains a flaw that allows a remote cross site scripting attack. This flaw exists because with mod_status enabled, the application does not validate the refresh parameter on the server-status page. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Classification

 Location: Remote/Network Access Required
Attack Type: Input Manipulation
Impact: Loss of Integrity
Solution: Upgrade
Exploit: Exploit Available
Disclosure: Vendor Verified, OSVDB Verified
OSVDB: Web Related

Solution

 Upgrade to version 1.3.40, 2.0.62, or 2.27 (or higher), as they have been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

Apache Software Foundation

HTTP Server

 2.2.6
2.2.5
2.2.4
2.2.3
2.2.2
2.2.0
2.0.61
2.0.59
2.0.58
2.0.55
2.0.54
2.0.53
2.0.52
2.0.51
2.0.50
2.0.49
2.0.48
2.0.47
2.0.46
2.0.45
2.0.44
2.0.43
2.0.42
2.0.40
2.0.39
2.0.37
2.0.36
2.0.35
1.3.39
1.3.37
1.3.36
1.3.35
1.3.34
1.3.33
1.3.32
1.3.31
1.3.29
1.3.28
1.3.27
1.3.26
1.3.24
1.3.22
1.3.20
1.3.19
1.3.17
1.3.14
1.3.12
1.3.11
1.3.9
1.3.6
1.3.4
1.3.3
1.3.2

References

Credit
  • SecurityReason - SecurityReason
  • sp3x -


Direct URL: http://osvdb.org/36218