[CentOS] Apache mod_perl cross site scripting vulnerability

Wed Aug 12 02:57:28 UTC 2015
Ellen Shull <ellenshull at gmail.com>

On Tue, Aug 11, 2015 at 4:46 AM, Proxy One <proxy-one at mail.ru> wrote:

> I haven't used <Location /perl-status> but Trustwave still finds me
> vulnerable.
>
[...]
> Response: HTTP/1.1 404 Not Found

You clearly aren't serving perl-status; that's a red herring here.

[...]
> Body: contains '"><script>alert('xss')</script>'

That's your problem; they're flagging you for an XSS "vulnerability".
I'm guessing you have a custom 404 page that naively echoes the entire
request URL as part of the page?  You need to be using
htmlspecialchars() or HTML::Entities or whatever your
language/environment has to escape strings for safe inclusion in HTML
content.

There is of course more to it than that (sigh), try for starters:
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet

--ln