[CentOS] Apache mod_perl cross site scripting vulnerability
Ellen Shull
ellenshull at gmail.com
Wed Aug 12 02:57:28 UTC 2015
On Tue, Aug 11, 2015 at 4:46 AM, Proxy One <proxy-one at mail.ru> wrote:
> I haven't used <Location /perl-status> but Trustwave still finds me
> vulnerable.
>
[...]
> Response: HTTP/1.1 404 Not Found
You clearly aren't serving perl-status; that's a red herring here.
[...]
> Body: contains '"><script>alert('xss')</script>'
That's your problem; they're flagging you for an XSS "vulnerability".
I'm guessing you have a custom 404 page that naively echoes the entire
request URL as part of the page? You need to be using
htmlspecialchars() or HTML::Entities or whatever your
language/environment has to escape strings for safe inclusion in HTML
content.
There is of course more to it than that (sigh), try for starters:
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
--ln
More information about the CentOS
mailing list