On 2015-Aug-12 07:36, Eero Volotinen wrote: > How about something like: > > <Location /perl-status> > > # disallow public access > Order Deny, Allow > Deny from all > Allow from 127.0.0.1 > > SetHandler perl-script > PerlResponseHandler Apache2::Status > </Location> > Thanks to this I noticed that I don't have mod_perl installed at all. So even this vulnerability is marked as CVE-2009-0796, it's related to my 404 page. Thanks! > 2015-08-11 14:46 GMT+03:00 Proxy One <proxy-one at mail.ru>: > > > Hello, > > > > I've failed latest PCI scan because of CVE-2009-0796. Centos 6.7. The > > Red Hat Security Response Team has rated this issue as having moderate > > security impact and bug as wontfix. > > > > Explanation: The vulnerability affects non default configuration of > > Apache HTTP web server, i.e cases, when access to Apache::Status and > > Apache2::Status resources is explicitly allowed via <Location > > /perl-status> httpd.conf configuration directive. Its occurrence can be > > prevented by using the default configuration for the Apache HTTP web > > server (not exporting /perl-status). > > > > I haven't used <Location /perl-status> but Trustwave still finds me > > vulnerable. > > > > Evidence: > > Request: GET /perl- > > status/APR::SockAddr::port/"><script>alert('xss')</script> HTTP/1.1 > > Accept: */* > > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) > > Host: www.mydomain.com > > Content-Type: text/html > > Content-Length: 0 > > Response: HTTP/1.1 404 Not Found > > Date: Mon, 07 Aug 2015 11:10:21 GMT > > Server: Apache/2.2.15 (CentOS) > > X-Powered-By: PHP/5.3.3 > > Set-Cookie: PHPSESSID=kj6bpud7htmbtgaqtcwhsqk7j1; path=/ > > > > Expires: Thu, 19 Nov 1981 08:52:00 GMT > > Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre- > > check=0 > > Pragma: no-cache > > Connection: close > > Transfer-Encoding: chunked > > Content-Type: text/html; charset=UTF-8 > > Body: contains '"><script>alert('xss')</script>' > > > > > > How can I get around this? > > _______________________________________________ > > CentOS mailing list > > CentOS at centos.org > > http://lists.centos.org/mailman/listinfo/centos > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos