From: Jeff Trawick Date: Tue, 24 Jul 2007 18:03:56 +0000 (+0000) Subject: SECURITY: CVE-2006-5752 (cve.mitre.org) X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=69bfe5d161d03ea9f83f2524b0f38c8153f039e9;p=thirdparty%2Fapache%2Fhttpd.git SECURITY: CVE-2006-5752 (cve.mitre.org) mod_status: Fix a possible XSS attack against a site with a public server-status page and ExtendedStatus enabled, for browsers which perform charset "detection". Reported by Stefan Esser. [Joe Orton] Joe's patch was tweaked ever so slightly by me, then reviewed by Joe and Sander T. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/1.3.x@559142 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/src/CHANGES b/src/CHANGES index b2c21c2588e..86de12e489b 100644 --- a/src/CHANGES +++ b/src/CHANGES @@ -1,5 +1,10 @@ Changes with Apache 1.3.38 + *) SECURITY: CVE-2006-5752 (cve.mitre.org) + mod_status: Fix a possible XSS attack against a site with a public + server-status page and ExtendedStatus enabled, for browsers which + perform charset "detection". Reported by Stefan Esser. [Joe Orton] + *) SECURITY: CVE-2007-3304 (cve.mitre.org) Ensure that the parent process cannot be forced to kill non-child processes by checking scoreboard PID data with parent process diff --git a/src/modules/standard/mod_status.c b/src/modules/standard/mod_status.c index d5530902fd0..526b194749a 100644 --- a/src/modules/standard/mod_status.c +++ b/src/modules/standard/mod_status.c @@ -221,7 +221,7 @@ static int status_handler(request_rec *r) if (r->method_number != M_GET) return DECLINED; - r->content_type = "text/html"; + r->content_type = "text/html; charset=ISO-8859-1"; /* * Simple table-driven form data set parser that lets you alter the header @@ -247,7 +247,7 @@ static int status_handler(request_rec *r) no_table_report = 1; break; case STAT_OPT_AUTO: - r->content_type = "text/plain"; + r->content_type = "text/plain; charset=ISO-8859-1"; short_report = 1; break; } @@ -570,7 +570,8 @@ static int status_handler(request_rec *r) ap_rputs(")\n", r); ap_rprintf(r, " %s {%s} [%s]
\n\n", ap_escape_html(r->pool, score_record.client), - ap_escape_html(r->pool, score_record.request), + ap_escape_html(r->pool, + ap_escape_logitem(r->pool, score_record.request)), vhost ? ap_escape_html(r->pool, vhost->server_hostname) : "(unavailable)"); } @@ -657,7 +658,8 @@ static int status_handler(request_rec *r) ap_escape_html(r->pool, score_record.client), vhost ? ap_escape_html(r->pool, vhost->server_hostname) : "(unavailable)", - ap_escape_html(r->pool, score_record.request)); + ap_escape_html(r->pool, + ap_escape_logitem(r->pool, score_record.request))); } /* no_table_report */ } /* !short_report */ } /* if () */