Bugtraq mailing list archives
Cross Site Scripting security issue
From: zilbauer () SLAPPY ORG (Robert Zilbauer)
Date: Wed, 2 Feb 2000 18:54:53 -0800
Date: Wed, 2 Feb 2000 12:22:12 -0700 (MST) From: Marc Slemko <marcs () znep com> To: announce () apache org Subject: Cross Site Scripting security issue -----BEGIN PGP SIGNED MESSAGE----- As you may already be aware, today CERT released an advisory about a security vulnerability that has been discovered associated with malicious HTML tags (especially scripting tags) being embedded in client web requests. The common name currently associated with this problem is "Cross Site Scripting", even though this name is not entirely accurate in its description of the problem. Please review the CERT advisory available at: http://www.cert.org/advisories/CA-2000-02.html for more details. Pay particular attention to their Tech Tip for Web Developers, available at: http://www.cert.org/tech_tips/malicious_code_mitigation.html There are a number of ways in which this issue impacts Apache itself, and many more ways in which it impacts sites developed using related technologies such as Apache modules, CGI scripts, mod_perl, PHP, etc. that runs on top of Apache. We have put together some information about this and it is available at: http://www.apache.org/info/css-security/ Please visit this page for more information if you think this problem impacts your site or if you don't understand if the problem impacts your site. Included on this page are patches to Apache to fix a number of related bugs and to add a number of features that may be helpful in defending against this type of attack. We expect to release a new version of Apache in the immediate future that includes these patches, but do not yet have an exact timeline planned for this release. Please note that this issue does not in any way compromise the security of your server directly. All the issues related to this involve tricking a client into doing something that is not what the user intends. We expect to update our pages with more information in the future, as more of the details of and consequences of this issue are discovered. - -- Marc Slemko | Apache Software Foundation member marcs () znep com | marc () apache org -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQCVAwUBOJiD51Qv/g4Arev1AQFp+AP+PYknXFPhcFExJvrZ2OdXhR43w2Fwuhgp UzhJFj8WLnpuaXNipQnE5/lVxNu2s7X6hshPP9GpDUkhU8u0WMXcJqydI4+/1OEV O2yRhVeIMwhE8k38SDxIiJJ+DsPQJ5p/Rfi8tZRh4GneSU5JBhY3d5hkumfsPocs NZYgV5YnhRs= =fSkT -----END PGP SIGNATURE-----
----- Robert C. Zilbauer, Jr. Long live the new flesh. Primary: zilbauer () slappy org Secondary: zilbauer () efn org "Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn."
Current thread:
- Re: Evil Cookies., (continued)
- Re: Evil Cookies. Michael Bryan (Feb 08)
- Statistical Attack Against Virtual Banks Andre L. Dos Santos (Feb 08)
- Re: Statistical Attack Against Virtual Banks HC Security (Feb 08)
- Re: Statistical Attack Against Virtual Banks Andre L. Dos Santos (Feb 08)
- Re: Statistical Attack Against Virtual Banks HC Security (Feb 09)
- Re: Statistical Attack Against Virtual Banks Swift Griggs (Feb 09)
- Re: Statistical Attack Against Virtual Banks Andre L. Dos Santos (Feb 08)
- SCO OpenServer SNMPD vulnerability NAI Labs (Feb 07)
- Re: Tempfile vulnerabilities Werner Koch (Feb 02)
- Re: Tempfile vulnerabilities Chris Cappuccio (Feb 03)
- Cross Site Scripting security issue Robert Zilbauer (Feb 02)
- Re: Tempfile vulnerabilities Len Budney (Feb 03)
- Re: Tempfile vulnerabilities antirez (Feb 05)
- Re: Tempfile vulnerabilities Ian Turner (Feb 07)
- Re: Tempfile vulnerabilities Seth David Schoen (Feb 07)
- Remote access vulnerability in all MySQL server versions Robert van der Meulen (Feb 08)
- don't run random "exploit" code Marc Slemko (Feb 08)
- cookies - nothing new Steven Champeon (Feb 07)
- Re: cookies - nothing new MJE (Feb 08)
- Re: Tempfile vulnerabilities Peter Berendi (Feb 08)
- Re: Tempfile vulnerabilities Marc Lehmann (Feb 08)