]> granicus.if.org Git - apache/commitdiff
Fix CVE-2006-5752:
authorJoe Orton <jorton@apache.org>
Wed, 20 Jun 2007 17:29:24 +0000 (17:29 +0000)
committerJoe Orton <jorton@apache.org>
Wed, 20 Jun 2007 17:29:24 +0000 (17:29 +0000)
* modules/generators/mod_status.c (status_handler): Specify charset in
content-type to prevent browsers doing charset "detection", which
allows an XSS attack.  Use logitem-escaping on the request string to
make it charset-neutral.

Reported by: Stefan Esser <sesser hardened-php.net>

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@549159 13f79535-47bb-0310-9956-ffa450edef68

CHANGES
modules/generators/mod_status.c

diff --git a/CHANGES b/CHANGES
index ccf4eded438924ee9fafa8c4a33268913a79288f..3493d30c4d5b3dd7e61e4486c621b46c068ff78b 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,11 @@
 Changes with Apache 2.3.0
   [Remove entries to the current 2.0 and 2.2 section below, when backported]
 
+  *) SECURITY: CVE-2006-5752 (cve.mitre.org)
+     mod_status: Fix a possible XSS attack against a site with a public
+     server-status page and ExtendedStatus enabled, for browsers which
+     perform charset "detection".  Reported by Stefan Esser.  [Joe Orton]
+
   *) mpm: Add a parent process local table of child process PIDs, and
      use that to ensure we are sending signals to just our child
      processes by checking the scoreboard PID entries to our local
index 7fb0f332f7adeff51001c31c698a373768ca6b30..b2a6ea28cc00671fde2132db762c6e3f8b324454 100644 (file)
@@ -270,7 +270,7 @@ static int status_handler(request_rec *r)
     if (r->method_number != M_GET)
         return DECLINED;
 
-    ap_set_content_type(r, "text/html");
+    ap_set_content_type(r, "text/html; charset=ISO-8859-1");
 
     /*
      * Simple table-driven form data set parser that lets you alter the header
@@ -299,7 +299,7 @@ static int status_handler(request_rec *r)
                     no_table_report = 1;
                     break;
                 case STAT_OPT_AUTO:
-                    ap_set_content_type(r, "text/plain");
+                    ap_set_content_type(r, "text/plain; charset=ISO-8859-1");
                     short_report = 1;
                     break;
                 }
@@ -673,7 +673,8 @@ static int status_handler(request_rec *r)
                                ap_escape_html(r->pool,
                                               ws_record->client),
                                ap_escape_html(r->pool,
-                                              ws_record->request),
+                                              ap_escape_logitem(r->pool,
+                                                                ws_record->request)),
                                ap_escape_html(r->pool,
                                               ws_record->vhost));
                 }
@@ -763,7 +764,8 @@ static int status_handler(request_rec *r)
                                    ap_escape_html(r->pool,
                                                   ws_record->vhost),
                                    ap_escape_html(r->pool,
-                                                  ws_record->request));
+                                                  ap_escape_logitem(r->pool, 
+                                                                    ws_record->request)));
                 } /* no_table_report */
             } /* for (j...) */
         } /* for (i...) */