[CentOS] Apache mod_perl cross site scripting vulnerability

Wed Aug 12 10:42:17 UTC 2015
Proxy One <proxy-one at mail.ru>

On 2015-Aug-12 07:36, Eero Volotinen wrote:
> How about something like:
> 
> <Location /perl-status>
> 
>       # disallow public access
>       Order Deny, Allow
>       Deny from all
>       Allow from 127.0.0.1
> 
>       SetHandler perl-script
>       PerlResponseHandler Apache2::Status
>   </Location>
> 

Thanks to this I noticed that I don't have mod_perl installed at all. So
even this vulnerability is marked as CVE-2009-0796, it's related to my
404 page. 

Thanks!


 
 
> 2015-08-11 14:46 GMT+03:00 Proxy One <proxy-one at mail.ru>:
> 
> > Hello,
> >
> > I've failed latest PCI scan because of CVE-2009-0796. Centos 6.7. The
> > Red Hat Security Response Team has rated this issue as having moderate
> > security impact and bug as wontfix.
> >
> > Explanation: The vulnerability affects non default configuration of
> > Apache HTTP web server, i.e cases, when access to Apache::Status and
> > Apache2::Status resources is explicitly allowed via <Location
> > /perl-status> httpd.conf configuration directive.  Its occurrence can be
> > prevented by using the default configuration for the Apache HTTP web
> > server (not exporting /perl-status).
> >
> > I haven't used <Location /perl-status> but Trustwave still finds me
> > vulnerable.
> >
> > Evidence:
> > Request: GET /perl-
> > status/APR::SockAddr::port/"><script>alert('xss')</script> HTTP/1.1
> > Accept: */*
> > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
> > Host: www.mydomain.com
> > Content-Type: text/html
> > Content-Length: 0
> > Response: HTTP/1.1 404 Not Found
> > Date: Mon, 07 Aug 2015 11:10:21 GMT
> > Server: Apache/2.2.15 (CentOS)
> > X-Powered-By: PHP/5.3.3
> > Set-Cookie: PHPSESSID=kj6bpud7htmbtgaqtcwhsqk7j1; path=/
> >
> > Expires: Thu, 19 Nov 1981 08:52:00 GMT
> > Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-
> > check=0
> > Pragma: no-cache
> > Connection: close
> > Transfer-Encoding: chunked
> > Content-Type: text/html; charset=UTF-8
> > Body: contains '"><script>alert('xss')</script>'
> >
> >
> > How can I get around this?
> > _______________________________________________
> > CentOS mailing list
> > CentOS at centos.org
> > http://lists.centos.org/mailman/listinfo/centos
> >
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos