On Feb 5, 2008 5:40 AM, Boyle Owen <[EMAIL PROTECTED]> wrote: > Greetings, > > Our security guy noticed this alert about a XSS vulnerability in > mod_negotiation: http://www.mindedsecurity.com/MSA01150108.html. > According to the link, it applies to apache <= 2.2.6, so no worries for > 2.2.8. > > However, when I double-check the changelog for 2.2.8 > (http://www.apache.org/dist/httpd/CHANGES_2.2.8) there is no specific > mention of a patch in mod_negotiation... > > From a quick inspection of the source code, there was no change to > mod_negotiation.c between 2.2.6 and 2.2.8 so can I conclude that the > vulnerability is still present in 2.2.8? (ie, can it have been handled > at a higher level?)
If I remember correctly, the security does not consider this a vulnerability. To do the XSS you need control of filenames on the server. If you have that, you probably have much-more-straightforward ways to steal cookies. There might be a very-few badly-configured sites that are vulnerable to this, so it should be fixed. But it is not a serious security issue. Joshua.
