LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 24, 2012

A uTouch architecture introduction

LWN.net Weekly Edition for May 17, 2012

Tasting the Ice Cream Sandwich

Highlights from the PostgreSQL 9.2 beta

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

mod_ssl: cross site scripting problem

Package(s):mod_ssl, libapache-mod-ssl CVE #(s):CAN-2002-1157
Created:October 22, 2002 Updated:December 12, 2002
Description: Joe Orton discovered a cross site scripting problem in mod_ssl, an Apache module that adds Strong cryptography (i.e. HTTPS support) to the webserver. The module will return the server name unescaped in the response to an HTTP request on an SSL port.

Like the other recent Apache XSS bugs, this only affects servers using a combination of "UseCanonicalName off" and wildcard DNS. This is very unlikely to happen, though. Apache 2.0/mod_ssl is not vulnerable since it already escapes this HTML.

Alerts:
Red Hat RHSA-2002:222-21 2002-11-25
Conectiva CLA-2002:541 2002-10-30
EnGarde ESA-20021029-027 2002-10-29
Gentoo mod_ssl-20021027 2002-10-27
Mandrake MDKSA-2002:072 2002-10-24
OpenPKG OpenPKG-SA-2002.010 2002-10-23
Debian DSA-181-1 2002-10-22
(Log in to post comments)

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds