Apache mod_perl cross site scripting vulnerability

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Hello,

I've failed latest PCI scan because of CVE-2009-0796. Centos 6.7. The
Red Hat Security Response Team has rated this issue as having moderate
security impact and bug as wontfix. 

Explanation: The vulnerability affects non default configuration of
Apache HTTP web server, i.e cases, when access to Apache::Status and
Apache2::Status resources is explicitly allowed via <Location
/perl-status> httpd.conf configuration directive.  Its occurrence can be
prevented by using the default configuration for the Apache HTTP web
server (not exporting /perl-status).

I haven't used <Location /perl-status> but Trustwave still finds me
vulnerable. 

Evidence:
Request: GET /perl-
status/APR::SockAddr::port/"><script>alert('xss')</script> HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: www.mydomain.com
Content-Type: text/html
Content-Length: 0
Response: HTTP/1.1 404 Not Found
Date: Mon, 07 Aug 2015 11:10:21 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Set-Cookie: PHPSESSID=kj6bpud7htmbtgaqtcwhsqk7j1; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-
check=0
Pragma: no-cache
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
Body: contains '"><script>alert('xss')</script>'


How can I get around this?
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos



[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux