Apache fixes scripting flaw
Print storySSI error pages
Posted in Security, 4th October 2002 12:36 GMT
Free whitepaper – Certify your software integrity with Thawte code signing certificates
Apache is vulnerable to a number of cross-site scripting attacks.
According to a posting to BugTraq this week, the popular Web server platform is vulnerable due to "SSI error pages of the Web server not being properly sanitised of malicious HTML code".
Because of this, attacker-constructed HTML pages or script code may be executed on a web client visiting the malicious link placed on sites run using Apache. Cookie-based authentication credentials might be stolen using the attack or, worse, a number of arbitrary actions might be taken on a victim's machine.
A proof-of-concept exploit has been posted to BugTraq.
Previous versions of Apache on a wide variety of platform are potentially vulnerable, as explained in greater detail here.
Admins are advised to update their Web server software to either Apache versions 1.3.27 or 2.0.43, which are both resilient to the attack. These versions incorporate a fix, as explained in more depth on Apache's Web site, by security researcher Matthew Murphy, who reported the flaw. ®
Free whitepaper – Securing your Apache web server with a Thawte digital certificate
The best practices guide for application security
Reducing messaging and web security costs with managed services
Avoiding 7 common mistakes of IT security compliance
Certify your software integrity with Thawte code signing certificates
The future of SaaS and IT infrastructure management
Feds: Hospital hacker's 'massive' DDoS averted
Buggy 'smart meters' open door to power-grid botnet
Microsoft knew of nasty IE bug a year before attacks
BlockMaster SafeStick hardware-encrypted USB drive