Re: Apache mod_perl cross site scripting vulnerability

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On 2015-Aug-11 19:57, Ellen Shull wrote:
> On Tue, Aug 11, 2015 at 4:46 AM, Proxy One <proxy-one@xxxxxxx> wrote:
> 
> > I haven't used <Location /perl-status> but Trustwave still finds me
> > vulnerable.
> >
> [...]
> > Response: HTTP/1.1 404 Not Found
> 
> You clearly aren't serving perl-status; that's a red herring here.

Indeed, I don't have mod_proxy installed. 

> [...]
> > Body: contains '"><script>alert('xss')</script>'
> 
> That's your problem; they're flagging you for an XSS "vulnerability".
> I'm guessing you have a custom 404 page that naively echoes the entire
> request URL as part of the page?  You need to be using
> htmlspecialchars() or HTML::Entities or whatever your
> language/environment has to escape strings for safe inclusion in HTML
> content.

There is PHP generated 404 page. I'll check that with web developer.
What's strange, I'm trying to reproduce this and I don't see that
string. Trustwave support suggested I use Burp Suite and it's repeater
tool. I find some windows machine, installed it and all I see inside
body is "Unable to resolve the request
"perl-status/APR::SockAddr::port".

Is there way to use curl for testing? I'm getting new line because of
the single quote inside string and escaping it with back slash gives me 
bash: syntax error near unexpected token `<'


> There is of course more to it than that (sigh), try for starters:
> https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet

Very nice reading, thanks!
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos



[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux