SECURITY: CVE-2006-5752 (cve.mitre.org)

mod_status: Fix a possible XSS attack against a site with a public
server-status page and ExtendedStatus enabled, for browsers which
perform charset "detection".  Reported by Stefan Esser.  [Joe Orton]

Joe's patch was tweaked ever so slightly by me, then reviewed
by Joe and Sander T.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@559142 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/src/CHANGES b/src/CHANGES
index b2c21c2588e038c67c6284ac45e1913fa0832e82..86de12e489b469ae232aff5f154d3a4ce36e14a5 100644 (file)
--- a/src/CHANGES
+++ b/src/CHANGES
@@ -1,5 +1,10 @@
 Changes with Apache 1.3.38
 
+  *) SECURITY: CVE-2006-5752 (cve.mitre.org)
+     mod_status: Fix a possible XSS attack against a site with a public
+     server-status page and ExtendedStatus enabled, for browsers which
+     perform charset "detection".  Reported by Stefan Esser.  [Joe Orton]
+
   *) SECURITY: CVE-2007-3304 (cve.mitre.org)
      Ensure that the parent process cannot be forced to kill non-child
      processes by checking scoreboard PID data with parent process

diff --git a/src/modules/standard/mod_status.c b/src/modules/standard/mod_status.c
index d5530902fd0ec1d73ab290e185dd4ee40f4506e3..526b194749a1068bcec8bfc0e6ffb72ea46ce7c0 100644 (file)
--- a/src/modules/standard/mod_status.c
+++ b/src/modules/standard/mod_status.c
@@ -221,7 +221,7 @@ static int status_handler(request_rec *r)
     if (r->method_number != M_GET)
        return DECLINED;
 
-    r->content_type = "text/html";
+    r->content_type = "text/html; charset=ISO-8859-1";
 
     /*
      * Simple table-driven form data set parser that lets you alter the header
@@ -247,7 +247,7 @@ static int status_handler(request_rec *r)
                    no_table_report = 1;
                    break;
                case STAT_OPT_AUTO:
-                   r->content_type = "text/plain";
+                   r->content_type = "text/plain; charset=ISO-8859-1";
                    short_report = 1;
                    break;
                }
@@ -570,7 +570,8 @@ static int status_handler(request_rec *r)
                        ap_rputs(")\n", r);
                        ap_rprintf(r, " <i>%s {%s}</i> <b>[%s]</b><br>\n\n",
                            ap_escape_html(r->pool, score_record.client),
-                           ap_escape_html(r->pool, score_record.request),
+                           ap_escape_html(r->pool,
+                                           ap_escape_logitem(r->pool, score_record.request)),
                            vhost ? ap_escape_html(r->pool, 
                                vhost->server_hostname) : "(unavailable)");
                    }
@@ -657,7 +658,8 @@ static int status_handler(request_rec *r)
                             ap_escape_html(r->pool, score_record.client),
                             vhost ? ap_escape_html(r->pool, 
                                vhost->server_hostname) : "(unavailable)",
-                            ap_escape_html(r->pool, score_record.request));
+                            ap_escape_html(r->pool,
+                                            ap_escape_logitem(r->pool, score_record.request)));
                    }           /* no_table_report */
                }                       /* !short_report */
            }                   /* if (<active child>) */