Bugtraq mailing list archives
Cross Site Scripting security issue
From: zilbauer () SLAPPY ORG (Robert Zilbauer)
Date: Wed, 2 Feb 2000 18:54:53 -0800
Date: Wed, 2 Feb 2000 12:22:12 -0700 (MST)
From: Marc Slemko <marcs () znep com>
To: announce () apache org
Subject: Cross Site Scripting security issue
-----BEGIN PGP SIGNED MESSAGE-----
As you may already be aware, today CERT released an advisory about
a security vulnerability that has been discovered associated with
malicious HTML tags (especially scripting tags) being embedded in
client web requests. The common name currently associated with this
problem is "Cross Site Scripting", even though this name is not entirely
accurate in its description of the problem.
Please review the CERT advisory available at:
http://www.cert.org/advisories/CA-2000-02.html
for more details. Pay particular attention to their Tech Tip for
Web Developers, available at:
http://www.cert.org/tech_tips/malicious_code_mitigation.html
There are a number of ways in which this issue impacts Apache itself,
and many more ways in which it impacts sites developed using related
technologies such as Apache modules, CGI scripts, mod_perl, PHP, etc.
that runs on top of Apache. We have put together some information
about this and it is available at:
http://www.apache.org/info/css-security/
Please visit this page for more information if you think this
problem impacts your site or if you don't understand if the problem
impacts your site. Included on this page are patches to Apache to
fix a number of related bugs and to add a number of features that
may be helpful in defending against this type of attack. We expect to
release a new version of Apache in the immediate future that includes
these patches, but do not yet have an exact timeline planned for this
release.
Please note that this issue does not in any way compromise the security
of your server directly. All the issues related to this involve tricking
a client into doing something that is not what the user intends.
We expect to update our pages with more information in the future,
as more of the details of and consequences of this issue are
discovered.
- --
Marc Slemko | Apache Software Foundation member
marcs () znep com | marc () apache org
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv
iQCVAwUBOJiD51Qv/g4Arev1AQFp+AP+PYknXFPhcFExJvrZ2OdXhR43w2Fwuhgp
UzhJFj8WLnpuaXNipQnE5/lVxNu2s7X6hshPP9GpDUkhU8u0WMXcJqydI4+/1OEV
O2yRhVeIMwhE8k38SDxIiJJ+DsPQJ5p/Rfi8tZRh4GneSU5JBhY3d5hkumfsPocs
NZYgV5YnhRs=
=fSkT
-----END PGP SIGNATURE-----
-----
Robert C. Zilbauer, Jr. Long live the new flesh.
Primary: zilbauer () slappy org Secondary: zilbauer () efn org
"Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn."
Current thread:
- Re: Evil Cookies., (continued)
- Re: Evil Cookies. Michael Bryan (Feb 08)
- Statistical Attack Against Virtual Banks Andre L. Dos Santos (Feb 08)
- Re: Statistical Attack Against Virtual Banks HC Security (Feb 08)
- Re: Statistical Attack Against Virtual Banks Andre L. Dos Santos (Feb 08)
- Re: Statistical Attack Against Virtual Banks HC Security (Feb 09)
- Re: Statistical Attack Against Virtual Banks Swift Griggs (Feb 09)
- Re: Statistical Attack Against Virtual Banks Andre L. Dos Santos (Feb 08)
- SCO OpenServer SNMPD vulnerability NAI Labs (Feb 07)
- Re: Tempfile vulnerabilities Werner Koch (Feb 02)
- Re: Tempfile vulnerabilities Chris Cappuccio (Feb 03)
- Cross Site Scripting security issue Robert Zilbauer (Feb 02)
- Re: Tempfile vulnerabilities Len Budney (Feb 03)
- Re: Tempfile vulnerabilities antirez (Feb 05)
- Re: Tempfile vulnerabilities Ian Turner (Feb 07)
- Re: Tempfile vulnerabilities Seth David Schoen (Feb 07)
- Remote access vulnerability in all MySQL server versions Robert van der Meulen (Feb 08)
- don't run random "exploit" code Marc Slemko (Feb 08)
- cookies - nothing new Steven Champeon (Feb 07)
- Re: cookies - nothing new MJE (Feb 08)
- Re: Tempfile vulnerabilities Peter Berendi (Feb 08)
- Re: Tempfile vulnerabilities Marc Lehmann (Feb 08)
