Hello,
I've failed latest PCI scan because of CVE-2009-0796. Centos 6.7. The
Red Hat Security Response Team has rated this issue as having moderate
security impact and bug as wontfix.
Explanation: The vulnerability affects non default configuration of
Apache HTTP web server, i.e cases, when access to Apache::Status and
Apache2::Status resources is explicitly allowed via <Location
/perl-status> httpd.conf configuration directive. Its occurrence can be
prevented by using the default configuration for the Apache HTTP web
server (not exporting /perl-status).
I haven't used <Location /perl-status> but Trustwave still finds me
vulnerable.
Evidence:
Request: GET /perl-
status/APR::SockAddr::port/"><script>alert('xss')</script> HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: www.mydomain.com
Content-Type: text/html
Content-Length: 0
Response: HTTP/1.1 404 Not Found
Date: Mon, 07 Aug 2015 11:10:21 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Set-Cookie: PHPSESSID=kj6bpud7htmbtgaqtcwhsqk7j1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-
check=0
Pragma: no-cache
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
Body: contains '"><script>alert('xss')</script>'
How can I get around this?
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
