[CentOS] Apache mod_perl cross site scripting vulnerability

Wed Aug 12 04:36:26 UTC 2015
Eero Volotinen <eero.volotinen at iki.fi>

How about something like:

<Location /perl-status>

      # disallow public access
      Order Deny, Allow
      Deny from all
      Allow from 127.0.0.1

      SetHandler perl-script
      PerlResponseHandler Apache2::Status
  </Location>




2015-08-11 14:46 GMT+03:00 Proxy One <proxy-one at mail.ru>:

> Hello,
>
> I've failed latest PCI scan because of CVE-2009-0796. Centos 6.7. The
> Red Hat Security Response Team has rated this issue as having moderate
> security impact and bug as wontfix.
>
> Explanation: The vulnerability affects non default configuration of
> Apache HTTP web server, i.e cases, when access to Apache::Status and
> Apache2::Status resources is explicitly allowed via <Location
> /perl-status> httpd.conf configuration directive.  Its occurrence can be
> prevented by using the default configuration for the Apache HTTP web
> server (not exporting /perl-status).
>
> I haven't used <Location /perl-status> but Trustwave still finds me
> vulnerable.
>
> Evidence:
> Request: GET /perl-
> status/APR::SockAddr::port/"><script>alert('xss')</script> HTTP/1.1
> Accept: */*
> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
> Host: www.mydomain.com
> Content-Type: text/html
> Content-Length: 0
> Response: HTTP/1.1 404 Not Found
> Date: Mon, 07 Aug 2015 11:10:21 GMT
> Server: Apache/2.2.15 (CentOS)
> X-Powered-By: PHP/5.3.3
> Set-Cookie: PHPSESSID=kj6bpud7htmbtgaqtcwhsqk7j1; path=/
>
> Expires: Thu, 19 Nov 1981 08:52:00 GMT
> Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-
> check=0
> Pragma: no-cache
> Connection: close
> Transfer-Encoding: chunked
> Content-Type: text/html; charset=UTF-8
> Body: contains '"><script>alert('xss')</script>'
>
>
> How can I get around this?
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>