* modules/generators/mod_status.c (status_handler): Specify charset in
content-type to prevent browsers doing charset "detection", which
allows an XSS attack. Use logitem-escaping on the request string to
make it charset-neutral.
Reported by: Stefan Esser <sesser hardened-php.net>
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@549159
13f79535-47bb-0310-9956-
ffa450edef68
Changes with Apache 2.3.0
[Remove entries to the current 2.0 and 2.2 section below, when backported]
+ *) SECURITY: CVE-2006-5752 (cve.mitre.org)
+ mod_status: Fix a possible XSS attack against a site with a public
+ server-status page and ExtendedStatus enabled, for browsers which
+ perform charset "detection". Reported by Stefan Esser. [Joe Orton]
+
*) mpm: Add a parent process local table of child process PIDs, and
use that to ensure we are sending signals to just our child
processes by checking the scoreboard PID entries to our local
if (r->method_number != M_GET)
return DECLINED;
- ap_set_content_type(r, "text/html");
+ ap_set_content_type(r, "text/html; charset=ISO-8859-1");
/*
* Simple table-driven form data set parser that lets you alter the header
no_table_report = 1;
break;
case STAT_OPT_AUTO:
- ap_set_content_type(r, "text/plain");
+ ap_set_content_type(r, "text/plain; charset=ISO-8859-1");
short_report = 1;
break;
}
ap_escape_html(r->pool,
ws_record->client),
ap_escape_html(r->pool,
- ws_record->request),
+ ap_escape_logitem(r->pool,
+ ws_record->request)),
ap_escape_html(r->pool,
ws_record->vhost));
}
ap_escape_html(r->pool,
ws_record->vhost),
ap_escape_html(r->pool,
- ws_record->request));
+ ap_escape_logitem(r->pool,
+ ws_record->request)));
} /* no_table_report */
} /* for (j...) */
} /* for (i...) */