[SNS Advisory No.57] AN HTTPD Cross-site Scripting Vulnerability
From: snsadv@lac.co.jpDate: 10/28/02
- Previous message: Daniel Ahlberg: "GLSA: mod_ssl"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 28 Oct 2002 17:40:23 +0900 From: "snsadv@lac.co.jp" <snsadv@lac.co.jp> To: bugtraq@securityfocus.com
----------------------------------------------------------------------
SNS Advisory No.57
AN HTTPD Cross-site Scripting Vulnerability
Problem first discovered: Wed, 23 Oct 2002
Published: Mon, 28 Oct 2002
Reference: http://www.lac.co.jp/security/english/snsadv_e/57_e.html
----------------------------------------------------------------------
Overview:
---------
AN HTTPD 1.41d is prone to a Cross-site Scripting vulnerability.
Details:
--------
AN HTTPD shows an error page if a client sends a request containing
":" in the URI field. The problem occurs due to the fact that this
URI is injected into the error page without being sanitized.
Tested Versions:
----------------
AN HTTPD 1.41d
Tested OS:
----------
Windows 2000 Server + SP3
Solution:
---------
This problem can be eliminated by updating to AN HTTPD 1.41e.
AN HTTPD 1.41e
http://www.st.rim.or.jp/~nakata/httpd141e.exe
Discovered by:
--------------
Keigo Yamazaki
Acknowledgements:
-----------------
Thanks to:
Mr. Akio Nakata
Disclaimer:
-----------
All information in these advisories are subject to change without any
advanced notices neither mutual consensus, and each of them is released
as it is. LAC Co.,Ltd. is not responsible for any risks of occurrences
caused by applying those information.
------------------------------------------------------------------
SecureNet Service(SNS) Security Advisory <snsadv@lac.co.jp>
Computer Security Laboratory, LAC http://www.lac.co.jp/security/
- Previous message: Daniel Ahlberg: "GLSA: mod_ssl"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
