summaryrefslogtreecommitdiff
path: root/usr.sbin
diff options
context:
space:
mode:
authorMartynas Venckus <martynas@cvs.openbsd.org>2008-01-12 00:37:09 +0000
committerMartynas Venckus <martynas@cvs.openbsd.org>2008-01-12 00:37:09 +0000
commit1521a0a9f2fbddad375399c5b99a1f3021608f71 (patch)
treecfa6772120fbb07209d299590cae1f63c1138dba /usr.sbin
parentab2fe282fa4db66a0dfd011f13fa2ce0624d835a (diff)
Fix mod_status XSS CVE-2007-6388:
A flaw was found in the mod_status module. On sites where mod_status is enabled and the status pages were publicly accessible, a cross-site scripting attack is possible. Note that the server-status page is not enabled by default and it is best practice to not make this publicly available. Fix mod_imap XSS CVE-2007-5000: A flaw was found in the mod_imap module. On sites where mod_imap is enabled and an imagemap file is publicly available, a cross-site scripting attack is possible. ok miod@
Diffstat (limited to 'usr.sbin')
-rw-r--r--usr.sbin/httpd/src/modules/standard/mod_imap.c10
-rw-r--r--usr.sbin/httpd/src/modules/standard/mod_status.c20
2 files changed, 15 insertions, 15 deletions
diff --git a/usr.sbin/httpd/src/modules/standard/mod_imap.c b/usr.sbin/httpd/src/modules/standard/mod_imap.c
index c9bdea6e69e..8d04cbd00ff 100644
--- a/usr.sbin/httpd/src/modules/standard/mod_imap.c
+++ b/usr.sbin/httpd/src/modules/standard/mod_imap.c
@@ -501,15 +501,17 @@ static int imap_reply(request_rec *r, char *redirect)
static void menu_header(request_rec *r, char *menu)
{
- r->content_type = "text/html";
+ r->content_type = "text/html; charset=ISO-8859-1";
ap_send_http_header(r);
ap_hard_timeout("send menu", r); /* killed in menu_footer */
- ap_rvputs(r, DOCTYPE_HTML_3_2, "<html><head>\n<title>Menu for ", r->uri,
- "</title>\n</head><body>\n", NULL);
+ ap_rvputs(r, DOCTYPE_HTML_3_2, "<html><head>\n<title>Menu for ",
+ ap_escape_html(r->pool, r->uri),
+ "</title>\n</head><body>\n", NULL);
if (!strcasecmp(menu, "formatted")) {
- ap_rvputs(r, "<h1>Menu for ", r->uri, "</h1>\n<hr>\n\n", NULL);
+ ap_rvputs(r, "<h1>Menu for ", ap_escape_html(r->pool, r->uri),
+ "</h1>\n<hr>\n\n", NULL);
}
return;
diff --git a/usr.sbin/httpd/src/modules/standard/mod_status.c b/usr.sbin/httpd/src/modules/standard/mod_status.c
index 863b0894194..6159b7683cf 100644
--- a/usr.sbin/httpd/src/modules/standard/mod_status.c
+++ b/usr.sbin/httpd/src/modules/standard/mod_status.c
@@ -256,17 +256,15 @@ static int status_handler(request_rec *r)
while (status_options[i].id != STAT_OPT_END) {
if ((loc = strstr(r->args, status_options[i].form_data_str)) != NULL) {
switch (status_options[i].id) {
- case STAT_OPT_REFRESH:
- if (*(loc + strlen(status_options[i].form_data_str)) == '='
- && atol(loc + strlen(status_options[i].form_data_str)
- + 1) > 0)
- ap_table_set(r->headers_out,
- status_options[i].hdr_out_str,
- loc + strlen(status_options[i].hdr_out_str) + 1);
- else
- ap_table_set(r->headers_out,
- status_options[i].hdr_out_str, "1");
- break;
+ case STAT_OPT_REFRESH: {
+ long refreshtime = 0;
+ if (*(loc + strlen(status_options[i].form_data_str)) == '=')
+ refreshtime = atol(loc + strlen(status_options[i].form_data_str)+1);
+ ap_table_set(r->headers_out,
+ status_options[i].hdr_out_str,
+ ap_psprintf(r->pool,"%ld",(refreshtime<1)?10:refreshtime));
+ break;
+ }
case STAT_OPT_NOTABLE:
no_table_report = 1;
break;