On Tue, Aug 11, 2015 at 4:46 AM, Proxy One <proxy-one@xxxxxxx> wrote:
> I haven't used <Location /perl-status> but Trustwave still finds me
> vulnerable.
>
[...]
> Response: HTTP/1.1 404 Not Found
You clearly aren't serving perl-status; that's a red herring here.
[...]
> Body: contains '"><script>alert('xss')</script>'
That's your problem; they're flagging you for an XSS "vulnerability".
I'm guessing you have a custom 404 page that naively echoes the entire
request URL as part of the page? You need to be using
htmlspecialchars() or HTML::Entities or whatever your
language/environment has to escape strings for safe inclusion in HTML
content.
There is of course more to it than that (sigh), try for starters:
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
--ln
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
Re: Apache mod_perl cross site scripting vulnerability
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Re: Apache mod_perl cross site scripting vulnerability
- From: Ellen Shull <ellenshull@xxxxxxxxx>
- Date: Tue, 11 Aug 2015 19:57:28 -0700
- Delivered-to: centos@xxxxxxxxxx
- In-reply-to: <20150811114632.GA15059@gvozdika.example.net>
- Follow-Ups:
- Re: Apache mod_perl cross site scripting vulnerability
- From: Proxy One
- Re: Apache mod_perl cross site scripting vulnerability
- References:
- Apache mod_perl cross site scripting vulnerability
- From: Proxy One
- Apache mod_perl cross site scripting vulnerability
- Prev by Date: Re: [CentOS-announce] Release for CentOS-6.7 LiveCD and LiveDVD for i386 and x86_64
- Next by Date: Re: Apache mod_perl cross site scripting vulnerability
- Previous by thread: Apache mod_perl cross site scripting vulnerability
- Next by thread: Re: Apache mod_perl cross site scripting vulnerability
- Index(es):
 |