[13691] in bugtraq
Cross Site Scripting security issue
daemon@ATHENA.MIT.EDU (Robert Zilbauer)
Thu Feb 3 15:43:00 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Message-Id: <3.0.5.32.20000202185453.0091f740@slappy.org>
Date: Wed, 2 Feb 2000 18:54:53 -0800
Reply-To: Robert Zilbauer <zilbauer@SLAPPY.ORG>
From: Robert Zilbauer <zilbauer@SLAPPY.ORG>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
>Date: Wed, 2 Feb 2000 12:22:12 -0700 (MST)
>From: Marc Slemko <marcs@znep.com>
>To: announce@apache.org
>Subject: Cross Site Scripting security issue
>
>-----BEGIN PGP SIGNED MESSAGE-----
>
>As you may already be aware, today CERT released an advisory about
>a security vulnerability that has been discovered associated with
>malicious HTML tags (especially scripting tags) being embedded in
>client web requests. The common name currently associated with this
>problem is "Cross Site Scripting", even though this name is not entirely
>accurate in its description of the problem.
>
>Please review the CERT advisory available at:
>
> http://www.cert.org/advisories/CA-2000-02.html
>
>for more details. Pay particular attention to their Tech Tip for
>Web Developers, available at:
>
> http://www.cert.org/tech_tips/malicious_code_mitigation.html
>
>There are a number of ways in which this issue impacts Apache itself,
>and many more ways in which it impacts sites developed using related
>technologies such as Apache modules, CGI scripts, mod_perl, PHP, etc.
>that runs on top of Apache. We have put together some information
>about this and it is available at:
>
> http://www.apache.org/info/css-security/
>
>Please visit this page for more information if you think this
>problem impacts your site or if you don't understand if the problem
>impacts your site. Included on this page are patches to Apache to
>fix a number of related bugs and to add a number of features that
>may be helpful in defending against this type of attack. We expect to
>release a new version of Apache in the immediate future that includes
>these patches, but do not yet have an exact timeline planned for this
>release.
>
>Please note that this issue does not in any way compromise the security
>of your server directly. All the issues related to this involve tricking
>a client into doing something that is not what the user intends.
>
>We expect to update our pages with more information in the future,
>as more of the details of and consequences of this issue are
>discovered.
>
>
>- --
> Marc Slemko | Apache Software Foundation member
> marcs@znep.com | marc@apache.org
>
>-----BEGIN PGP SIGNATURE-----
>Version: PGPfreeware 5.0i for non-commercial use
>Charset: noconv
>
>iQCVAwUBOJiD51Qv/g4Arev1AQFp+AP+PYknXFPhcFExJvrZ2OdXhR43w2Fwuhgp
>UzhJFj8WLnpuaXNipQnE5/lVxNu2s7X6hshPP9GpDUkhU8u0WMXcJqydI4+/1OEV
>O2yRhVeIMwhE8k38SDxIiJJ+DsPQJ5p/Rfi8tZRh4GneSU5JBhY3d5hkumfsPocs
>NZYgV5YnhRs=
>=fSkT
>-----END PGP SIGNATURE-----
>
>
-----
Robert C. Zilbauer, Jr. Long live the new flesh.
Primary: zilbauer@slappy.org Secondary: zilbauer@efn.org
"Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn."
