Home page logo

bugtraq logo Bugtraq mailing list archives

Cross Site Scripting security issue
From: zilbauer () SLAPPY ORG (Robert Zilbauer)
Date: Wed, 2 Feb 2000 18:54:53 -0800

Date: Wed, 2 Feb 2000 12:22:12 -0700 (MST)
From: Marc Slemko <marcs () znep com>
To: announce () apache org
Subject: Cross Site Scripting security issue


As you may already be aware, today CERT released an advisory about
a security vulnerability that has been discovered associated with
malicious HTML tags (especially scripting tags) being embedded in
client web requests.  The common name currently associated with this
problem is "Cross Site Scripting", even though this name is not entirely
accurate in its description of the problem.

Please review the CERT advisory available at:


for more details.  Pay particular attention to their Tech Tip for
Web Developers, available at:


There are a number of ways in which this issue impacts Apache itself,
and many more ways in which it impacts sites developed using related
technologies such as Apache modules, CGI scripts, mod_perl, PHP, etc.
that runs on top of Apache.  We have put together some information
about this and it is available at:


Please visit this page for more information if you think this
problem impacts your site or if you don't understand if the problem
impacts your site.  Included on this page are patches to Apache to
fix a number of related bugs and to add a number of features that
may be helpful in defending against this type of attack.  We expect to
release a new version of Apache in the immediate future that includes
these patches, but do not yet have an exact timeline planned for this

Please note that this issue does not in any way compromise the security
of your server directly.  All the issues related to this involve tricking
a client into doing something that is not what the user intends.

We expect to update our pages with more information in the future,
as more of the details of and consequences of this issue are

- --
    Marc Slemko     | Apache Software Foundation member
    marcs () znep com  | marc () apache org

Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv


Robert C. Zilbauer, Jr.                          Long live the new flesh.
Primary: zilbauer () slappy org                  Secondary: zilbauer () efn org

          "Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn."

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]