On 01/06/2008 07:13 PM, Sander Temme wrote: > > On Jan 4, 2008, at 12:00 PM, Jim Jagielski wrote: > >> The latest versions of all 3 variants of Apache HTTP Server (1.3.40, >> 2.0.62 and 2.2.7) have been tagged. > > > While it seems to me that we're looking at a re-roll with several > patches, please find my test results from the past couple of days. > Perhaps this experience finally motivates me to script this exercise > since it gets extremely tedious and repetitive, and hence error prone. > > Compiled with a bunch of modules (see config.nice and config.status at > the end) as well as php-5.2.5. > > Mac OS X 10.5 (Leopard) on PowerPC: > > [-1] 1.3.40 (CVE-2007-6388 not fixed)
There is a patch available from Mark J Cox for 1.3 which I attach. Regards RĂ¼diger
Index: src/CHANGES =================================================================== --- src/CHANGES (revision 606689) +++ src/CHANGES (working copy) @@ -1,5 +1,10 @@ Changes with Apache 1.3.40 + *) SECURITY: CVE-2007-6388 (cve.mitre.org) + mod_status: Ensure refresh parameter is numeric to prevent + a possible XSS attack caused by redirecting to other URLs. + Reported by SecurityReason. [Mark Cox] + *) SECURITY: CVE-2007-5000 (cve.mitre.org) mod_imap: Fix cross-site scripting issue. Reported by JPCERT. [Joe Orton] Index: src/modules/standard/mod_status.c =================================================================== --- src/modules/standard/mod_status.c (revision 604646) +++ src/modules/standard/mod_status.c (working copy) @@ -232,17 +232,15 @@ while (status_options[i].id != STAT_OPT_END) { if ((loc = strstr(r->args, status_options[i].form_data_str)) != NULL) { switch (status_options[i].id) { - case STAT_OPT_REFRESH: - if (*(loc + strlen(status_options[i].form_data_str)) == '=' - && atol(loc + strlen(status_options[i].form_data_str) - + 1) > 0) - ap_table_set(r->headers_out, - status_options[i].hdr_out_str, - loc + strlen(status_options[i].hdr_out_str) + 1); - else - ap_table_set(r->headers_out, - status_options[i].hdr_out_str, "1"); - break; + case STAT_OPT_REFRESH: { + long refreshtime = 0; + if (*(loc + strlen(status_options[i].form_data_str)) == '=') + refreshtime = atol(loc + strlen(status_options[i].form_data_str)+1); + ap_table_set(r->headers_out, + status_options[i].hdr_out_str, + ap_psprintf(r->pool,"%ld",(refreshtime<1)?1:refreshtime)); + break; + } case STAT_OPT_NOTABLE: no_table_report = 1; break;