Joshua Slive wrote:
On Feb 5, 2008 5:40 AM, Boyle Owen <[EMAIL PROTECTED]> wrote:
Greetings,
Our security guy noticed this alert about a XSS vulnerability in
mod_negotiation: http://www.mindedsecurity.com/MSA01150108.html.
According to the link, it applies to apache <= 2.2.6, so no worries for
2.2.8.
The author of that post was already advised this isn't a vulnerability.
As they want egg on their face for flailing their arms about, surely you
aren't surprised their notes wouldn't otherwise be correct with respect
to the applicable version, are you?
If I remember correctly, the security does not consider this a
vulnerability. To do the XSS you need control of filenames on the
server. If you have that, you probably have much-more-straightforward
ways to steal cookies.
Bingo. If you can create a file, you can author a XSS page. There simply
is not a vulnerability here.
There might be a very-few badly-configured sites that are vulnerable
to this, so it should be fixed. But it is not a serious security
issue.
Disagree; it is a flaw, the names should be escaped, but there's absolutely
no reason to fix this for 'vulnerable' sites, their misconfiguration is far
more insidious if it has permit this, and it's considered an XSS in their
context.
Bill
