* Ensure refresh parameter is numeric to prevent a possible XSS attack caused

author Ruediger Pluem <rpluem@apache.org>

Fri, 28 Dec 2007 16:29:40 +0000 (16:29 +0000)

committer Ruediger Pluem <rpluem@apache.org>

Fri, 28 Dec 2007 16:29:40 +0000 (16:29 +0000)
author Ruediger Pluem <rpluem@apache.org>
Fri, 28 Dec 2007 16:29:40 +0000 (16:29 +0000)
committer Ruediger Pluem <rpluem@apache.org>
Fri, 28 Dec 2007 16:29:40 +0000 (16:29 +0000)
diff --git a/CHANGES b/CHANGES

index 4434d903f3f98549c0622bf277be54cfbc4f3f81..492bcf4fd994aa40e3096dc5bd3230e5b6983405 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,11 @@
  Changes with Apache 2.3.0
  [ When backported to 2.2.x, remove entry from this file ]
  
+  *) SECURITY: CVE-2007-6388 (cve.mitre.org)
+     mod_status: Ensure refresh parameter is numeric to prevent
+     a possible XSS attack caused by redirecting to other URLs. 
+     Reported by SecurityReason.  [Mark Cox, Joe Orton]
+
    *) mod_proxy_balancer: Correctly escape the worker route and the worker
       redirect string in the HTML output of the balancer manager.
       Reported by SecurityReason. [Ruediger Pluem]
diff --git a/modules/generators/mod_status.c b/modules/generators/mod_status.c

index f2649541b373d10e9d4e646b3a356cdf8357f8b5..38859e38156e531ffd399fdb7e69e63227a67743 100644 (file)
--- a/modules/generators/mod_status.c
+++ b/modules/generators/mod_status.c
@@ -71,6 +71,7 @@
  #endif
  #define APR_WANT_STRFUNC
  #include "apr_want.h"
+#include "apr_strings.h"
  
  #ifdef NEXT
  #if (NX_CURRENT_COMPILER_RELEASE == 410)
@@ -296,19 +297,18 @@ static int status_handler(request_rec *r)
              if ((loc = ap_strstr_c(r->args,
                                     status_options[i].form_data_str)) != NULL) {
                  switch (status_options[i].id) {
-                case STAT_OPT_REFRESH:
-                    if (*(loc + strlen(status_options[i].form_data_str)) == '='
-                        && atol(loc + strlen(status_options[i].form_data_str)
-                                + 1) > 0)
-                        apr_table_set(r->headers_out,
-                                      status_options[i].hdr_out_str,
-                                      loc +
-                                      strlen(status_options[i].hdr_out_str) +
-                                      1);
-                    else
-                        apr_table_set(r->headers_out,
-                                      status_options[i].hdr_out_str, "1");
+                case STAT_OPT_REFRESH: {
+                    apr_size_t len = strlen(status_options[i].form_data_str);
+                    long t = 0;
+
+                    if (*(loc + len ) == '=') {
+                        t = atol(loc + len + 1);
+                    }
+                    apr_table_set(r->headers_out,
+                                  status_options[i].hdr_out_str,
+                                  apr_ltoa(r->pool, t < 1 ? 1 : t));
                      break;
+                }
                  case STAT_OPT_NOTABLE:
                      no_table_report = 1;
                      break;
author	Ruediger Pluem <rpluem@apache.org>
	Fri, 28 Dec 2007 16:29:40 +0000 (16:29 +0000)
committer	Ruediger Pluem <rpluem@apache.org>
	Fri, 28 Dec 2007 16:29:40 +0000 (16:29 +0000)
CHANGES		patch \| blob \| history
modules/generators/mod_status.c		patch \| blob \| history