Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apache 2.0 Cross-site Scripting Vulnerability

Posted by michael on from the apt-get-upgrade dept.

jimmy writes ""A vulnerability exists in the SSI error pages of Apache 2.0 that involves incorrect filtering of server signature data. The vulnerability could enable an attacker to hijack web sessions, allowing a range of potential compromises on the targeted host." This Cross site scripting (or XSS) hole has been found in all versions of apache prior to 2.0.43. The advisory can be found here and users are urged to upgrade to address this problem."

2 of 15 comments (clear)

  1. Lets clarify... by Your_Mom · · Score: 5, Informative

    Its not /all/ versions of Apache, just All 2.0 versions prior to 2.0.43.
    For those of us still running the 1.3 branch, we're good.

    --
    Objects in the blog are closer then they ap
    1. Re:Lets clarify... by lylonius · · Score: 3, Informative

      Actually, you are mistaken. Cross-site scripting (XSS) vulnerability in the default error page of Apache 2.0 before 2.0.43, and 1.3.x up to 1.3.26

      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN- 2002-0840

      Apache release notes here: http://www.apache.org/dist/httpd/Announcement.html