[CentOS] Apache mod_perl cross site scripting vulnerability
Proxy One
proxy-one at mail.ru
Wed Aug 12 10:39:17 UTC 2015
On 2015-Aug-11 19:57, Ellen Shull wrote:
> On Tue, Aug 11, 2015 at 4:46 AM, Proxy One <proxy-one at mail.ru> wrote:
>
> > I haven't used <Location /perl-status> but Trustwave still finds me
> > vulnerable.
> >
> [...]
> > Response: HTTP/1.1 404 Not Found
>
> You clearly aren't serving perl-status; that's a red herring here.
Indeed, I don't have mod_proxy installed.
> [...]
> > Body: contains '"><script>alert('xss')</script>'
>
> That's your problem; they're flagging you for an XSS "vulnerability".
> I'm guessing you have a custom 404 page that naively echoes the entire
> request URL as part of the page? You need to be using
> htmlspecialchars() or HTML::Entities or whatever your
> language/environment has to escape strings for safe inclusion in HTML
> content.
There is PHP generated 404 page. I'll check that with web developer.
What's strange, I'm trying to reproduce this and I don't see that
string. Trustwave support suggested I use Burp Suite and it's repeater
tool. I find some windows machine, installed it and all I see inside
body is "Unable to resolve the request
"perl-status/APR::SockAddr::port".
Is there way to use curl for testing? I'm getting new line because of
the single quote inside string and escaping it with back slash gives me
bash: syntax error near unexpected token `<'
> There is of course more to it than that (sigh), try for starters:
> https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
Very nice reading, thanks!
More information about the CentOS
mailing list