Apache fixes scripting flaw
PrintSSI error pages
Posted in Security, 4th October 2002 12:36 GMT
Free whitepaper – Migrating to the new Dell Management Console
Apache is vulnerable to a number of cross-site scripting attacks.
According to a posting to BugTraq this week, the popular Web server platform is vulnerable due to "SSI error pages of the Web server not being properly sanitised of malicious HTML code".
Because of this, attacker-constructed HTML pages or script code may be executed on a web client visiting the malicious link placed on sites run using Apache. Cookie-based authentication credentials might be stolen using the attack or, worse, a number of arbitrary actions might be taken on a victim's machine.
A proof-of-concept exploit has been posted to BugTraq.
Previous versions of Apache on a wide variety of platform are potentially vulnerable, as explained in greater detail here.
Admins are advised to update their Web server software to either Apache versions 1.3.27 or 2.0.43, which are both resilient to the attack. These versions incorporate a fix, as explained in more depth on Apache's Web site, by security researcher Matthew Murphy, who reported the flaw. ®
Enabling The Agile Data Center
Analyst Keynote: The Register Agile Data Center Summit
Analyst Keynote: The Register Agile Data Center Summit
Breaching Fort Apache.org - What went wrong?
Snow Leopard security - The good, the bad and the missing
US Dems fill inboxes with 419 scams
BlockMaster SafeStick hardware-encrypted USB drive