| VID |
22143 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The Apache webserver is vulnerable to cross site scripting attacks. This vulnerability is due to the SSI (Server Side Include) error pages of the webserver not being properly sanitized of malicious HTML code.
Cross-site scripting (XSS) vulnerability in the default error page of Apache 2.0 before 2.0.43, and 1.3.x up to 1.3.26, when UseCanonicalName is "Off" and support for wildcard DNS is present, allows remote attackers to execute script as other web page visitors via the Host: header.
Attacks of this nature may make it possible for attackers to manipulate web content or to steal cookie-based authentication credentials. It may be possible to take arbitrary actions as the victim user.
* Platforms Affected:
Apache 1.3 prior to 1.3.27
Apache 2.0 prior to 2.0.43
* References:
http://online.securityfocus.com/bid/5847
http://online.securityfocus.com/archive/1/293791 |
| Recommendation |
Apply the appropriate patch for your system, as listed in the following site:
http://online.securityfocus.com/bid/5847/solution/
-- OR --
Upgrade to the latest version of Apache. The Apache Software Foundation has released Apache 2.0.43 to eliminate this vulnerability. It is available from http://www.apache.org/dist/httpd/ |
| Related URL |
CVE-2002-0840 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
