diff options
author | Martynas Venckus <martynas@cvs.openbsd.org> | 2008-01-12 00:37:09 +0000 |
---|---|---|
committer | Martynas Venckus <martynas@cvs.openbsd.org> | 2008-01-12 00:37:09 +0000 |
commit | 1521a0a9f2fbddad375399c5b99a1f3021608f71 (patch) | |
tree | cfa6772120fbb07209d299590cae1f63c1138dba /usr.sbin | |
parent | ab2fe282fa4db66a0dfd011f13fa2ce0624d835a (diff) |
Fix mod_status XSS CVE-2007-6388:
A flaw was found in the mod_status module. On sites where mod_status
is enabled and the status pages were publicly accessible, a cross-site
scripting attack is possible. Note that the server-status page is
not enabled by default and it is best practice to not make this
publicly available.
Fix mod_imap XSS CVE-2007-5000:
A flaw was found in the mod_imap module. On sites where mod_imap
is enabled and an imagemap file is publicly available, a cross-site
scripting attack is possible.
ok miod@
Diffstat (limited to 'usr.sbin')
-rw-r--r-- | usr.sbin/httpd/src/modules/standard/mod_imap.c | 10 | ||||
-rw-r--r-- | usr.sbin/httpd/src/modules/standard/mod_status.c | 20 |
2 files changed, 15 insertions, 15 deletions
diff --git a/usr.sbin/httpd/src/modules/standard/mod_imap.c b/usr.sbin/httpd/src/modules/standard/mod_imap.c index c9bdea6e69e..8d04cbd00ff 100644 --- a/usr.sbin/httpd/src/modules/standard/mod_imap.c +++ b/usr.sbin/httpd/src/modules/standard/mod_imap.c @@ -501,15 +501,17 @@ static int imap_reply(request_rec *r, char *redirect) static void menu_header(request_rec *r, char *menu) { - r->content_type = "text/html"; + r->content_type = "text/html; charset=ISO-8859-1"; ap_send_http_header(r); ap_hard_timeout("send menu", r); /* killed in menu_footer */ - ap_rvputs(r, DOCTYPE_HTML_3_2, "<html><head>\n<title>Menu for ", r->uri, - "</title>\n</head><body>\n", NULL); + ap_rvputs(r, DOCTYPE_HTML_3_2, "<html><head>\n<title>Menu for ", + ap_escape_html(r->pool, r->uri), + "</title>\n</head><body>\n", NULL); if (!strcasecmp(menu, "formatted")) { - ap_rvputs(r, "<h1>Menu for ", r->uri, "</h1>\n<hr>\n\n", NULL); + ap_rvputs(r, "<h1>Menu for ", ap_escape_html(r->pool, r->uri), + "</h1>\n<hr>\n\n", NULL); } return; diff --git a/usr.sbin/httpd/src/modules/standard/mod_status.c b/usr.sbin/httpd/src/modules/standard/mod_status.c index 863b0894194..6159b7683cf 100644 --- a/usr.sbin/httpd/src/modules/standard/mod_status.c +++ b/usr.sbin/httpd/src/modules/standard/mod_status.c @@ -256,17 +256,15 @@ static int status_handler(request_rec *r) while (status_options[i].id != STAT_OPT_END) { if ((loc = strstr(r->args, status_options[i].form_data_str)) != NULL) { switch (status_options[i].id) { - case STAT_OPT_REFRESH: - if (*(loc + strlen(status_options[i].form_data_str)) == '=' - && atol(loc + strlen(status_options[i].form_data_str) - + 1) > 0) - ap_table_set(r->headers_out, - status_options[i].hdr_out_str, - loc + strlen(status_options[i].hdr_out_str) + 1); - else - ap_table_set(r->headers_out, - status_options[i].hdr_out_str, "1"); - break; + case STAT_OPT_REFRESH: { + long refreshtime = 0; + if (*(loc + strlen(status_options[i].form_data_str)) == '=') + refreshtime = atol(loc + strlen(status_options[i].form_data_str)+1); + ap_table_set(r->headers_out, + status_options[i].hdr_out_str, + ap_psprintf(r->pool,"%ld",(refreshtime<1)?10:refreshtime)); + break; + } case STAT_OPT_NOTABLE: no_table_report = 1; break; |