Apache HTTP Server 2.2.6, 2.0.61 and 1.3.39 'mod_status' Cross-Site Scripting Vulnerability
2008/01/15 20:48
The Apache HTTP Server 'mod_status' module is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. Reports indicate that this issue can also be used to redirect user's browser to arbitrary locations and may aid in phishing attacks.
The issue affects versions prior to Apache 2.2.7-dev, 2.0.62-dev, and 1.3.40-dev.
An attacker can exploit this issue by enticing an unsuspecting user to follow a malicious URI.
Solution:
The vendor has released Apache 2.2.7-dev to address this issue. Please see the referenced advisories for more information.
NOTE: Apache 2.2.7-dev, 2.0.62-dev, and 1.3.40-dev are development versions.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. Reports indicate that this issue can also be used to redirect user's browser to arbitrary locations and may aid in phishing attacks.
The issue affects versions prior to Apache 2.2.7-dev, 2.0.62-dev, and 1.3.40-dev.
An attacker can exploit this issue by enticing an unsuspecting user to follow a malicious URI.
Solution:
The vendor has released Apache 2.2.7-dev to address this issue. Please see the referenced advisories for more information.
NOTE: Apache 2.2.7-dev, 2.0.62-dev, and 1.3.40-dev are development versions.
