From: Sander Temme Date: Thu, 12 Jul 2007 03:49:09 +0000 (+0000) Subject: CVE-2006-5752 backport X-Git-Tag: 2.0.60~23 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e4a2a7e2cb80bdb74c0f8accacc1dc886101198d;p=thirdparty%2Fapache%2Fhttpd.git CVE-2006-5752 backport git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@555482 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 263853acdf8..54a1eb607e6 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,11 @@ -*- coding: utf-8 -*- Changes with Apache 2.0.60 + *) SECURITY: CVE-2006-5752 (cve.mitre.org) + mod_status: Fix a possible XSS attack against a site with a public + server-status page and ExtendedStatus enabled, for browsers which + perform charset "detection". Reported by Stefan Esser. [Joe Orton] + *) mod_ssl: initialize thread locks before initializing the hardware acceleration library, so the latter can make use of the former. PR 20951. [] diff --git a/STATUS b/STATUS index f59ea33712d..a8cc69eb2f8 100644 --- a/STATUS +++ b/STATUS @@ -114,7 +114,7 @@ RELEASE SHOWSTOPPERS: PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] - *) SECURITY: CVE-2007-1863 (cve.mitre.org) + * SECURITY: CVE-2007-1863 (cve.mitre.org) mod_cache: Prevent segfault from Cache-Control headers with no values Trunk version of patch: @@ -142,11 +142,6 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK: http://svn.apache.org/viewvc?view=rev&rev=520733 +1: wrowe, sctemme, rpluem - * SECURITY: CVE-2006-5752 - mod_status XSS fix for broken browsers: - http://svn.apache.org/viewvc?view=rev&rev=549159 - +1: jorton, rpluem, sctemme - PATCHES PROPOSED TO BACKPORT FROM TRUNK: [ please place SVN revisions from trunk here, so it is easy to identify exactly what the proposed changes are! Add all new diff --git a/modules/generators/mod_status.c b/modules/generators/mod_status.c index 771cd072070..cb176ce09cf 100644 --- a/modules/generators/mod_status.c +++ b/modules/generators/mod_status.c @@ -269,7 +269,7 @@ static int status_handler(request_rec *r) if (r->method_number != M_GET) return DECLINED; - ap_set_content_type(r, "text/html"); + ap_set_content_type(r, "text/html; charset=ISO-8859-1"); /* * Simple table-driven form data set parser that lets you alter the header @@ -298,7 +298,7 @@ static int status_handler(request_rec *r) no_table_report = 1; break; case STAT_OPT_AUTO: - ap_set_content_type(r, "text/plain"); + ap_set_content_type(r, "text/plain; charset=ISO-8859-1"); short_report = 1; break; } @@ -664,7 +664,8 @@ static int status_handler(request_rec *r) ap_escape_html(r->pool, ws_record->client), ap_escape_html(r->pool, - ws_record->request), + ap_escape_logitem(r->pool, + ws_record->request)), ap_escape_html(r->pool, ws_record->vhost)); } @@ -753,7 +754,8 @@ static int status_handler(request_rec *r) ap_escape_html(r->pool, ws_record->vhost), ap_escape_html(r->pool, - ws_record->request)); + ap_escape_logitem(r->pool, + ws_record->request))); } /* no_table_report */ } /* for (j...) */ } /* for (i...) */