summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMartynas Venckus <martynas@cvs.openbsd.org>2007-08-08 21:01:45 +0000
committerMartynas Venckus <martynas@cvs.openbsd.org>2007-08-08 21:01:45 +0000
commit21bf4daa8658b2e95e0263866ab4709a82b5418b (patch)
treee6a62f2114156397fdb36224e19d4aed4eb1be86
parent4785217b3ea280c4ab5022625967dfbe11411d3e (diff)
fix CVE-2006-5752
A flaw was found in the mod_status module. On sites where the server-status page is publicly accessible and ExtendedStatus is enabled this could lead to a cross-site scripting attack. Note that the server-status page is not enabled by default and it is best practice to not make this publicly available. ok miod@, henning@
-rw-r--r--usr.sbin/httpd/src/modules/standard/mod_status.c10
1 files changed, 5 insertions, 5 deletions
diff --git a/usr.sbin/httpd/src/modules/standard/mod_status.c b/usr.sbin/httpd/src/modules/standard/mod_status.c
index f6a883ef8c5..863b0894194 100644
--- a/usr.sbin/httpd/src/modules/standard/mod_status.c
+++ b/usr.sbin/httpd/src/modules/standard/mod_status.c
@@ -245,7 +245,7 @@ static int status_handler(request_rec *r)
if (r->method_number != M_GET)
return DECLINED;
- r->content_type = "text/html";
+ r->content_type = "text/html; charset=ISO-8859-1";
/*
* Simple table-driven form data set parser that lets you alter the header
@@ -271,7 +271,7 @@ static int status_handler(request_rec *r)
no_table_report = 1;
break;
case STAT_OPT_AUTO:
- r->content_type = "text/plain";
+ r->content_type = "text/plain; charset=ISO-8859-1";
short_report = 1;
break;
}
@@ -563,7 +563,7 @@ static int status_handler(request_rec *r)
ap_rputs(")\n", r);
ap_rprintf(r, " <i>%s {%s}</i> <b>[%s]</b><br>\n\n",
ap_escape_html(r->pool, score_record.client),
- ap_escape_html(r->pool, score_record.request),
+ ap_escape_html(r->pool, ap_escape_logitem(r->pool, score_record.request)),
vhost ? ap_escape_html(r->pool,
vhost->server_hostname) : "(unavailable)");
}
@@ -639,14 +639,14 @@ static int status_handler(request_rec *r)
"</tr>\n\n",
score_record.client,
vhost ? vhost->server_hostname : "(unavailable)",
- ap_escape_html(r->pool, score_record.request));
+ ap_escape_html(r->pool, ap_escape_logitem(r->pool, score_record.request)));
#else
ap_rprintf(r,
"<td>%s<td nowrap>%s<td nowrap>%s</tr>\n\n",
ap_escape_html(r->pool, score_record.client),
vhost ? ap_escape_html(r->pool,
vhost->server_hostname) : "(unavailable)",
- ap_escape_html(r->pool, score_record.request));
+ ap_escape_html(r->pool, ap_escape_logitem(r->pool, score_record.request)));
#endif
} /* no_table_report */
} /* !short_report */