On Mon 23 Mar 2009, Philippe M. Chiasson wrote:
> > almost a month ago there was this posting on the users list
> >
> > http://www.gossamer-threads.com/lists/modperl/modperl/99170#99170
> >
> > stating there was a security related bug in modperl.
> >
> > Since then there were no svn updated touching the code. I'd like to
> > know if my servers are secure. So, where can I get more information
> > about the bug to perhaps help to fix it?
> >
> > Who knows more about the bug, please issue a statement if it is a
> > bug or not. If it is but nobody has the resources to fix it, please
> > let me know (privately) what it is. If I can I'll do it then.
>
> AFAIK, the original submitter didn't follow up and explain what the
> potential security problem was. He was told to contact
> secur...@apache.org, but I haven't heard anything from them.
Just FYI, the bug is a simple cross site scripting thing in
Apache2::Status (and probably in mp1's Apache::Status as well)
The mp2 stuff is fixed by the enclosed patch as the original submitter
has confirmed. I have committed it as revision 760926.
MP1 people, please check Apache::Status.
Apache2::Status users, please test.
Torsten
--
Need professional mod_perl support?
Just hire me: torsten.foert...@gmx.net
Index: lib/Apache2/Status.pm
===================================================================
--- lib/Apache2/Status.pm (revision 759858)
+++ lib/Apache2/Status.pm (working copy)
@@ -29,7 +29,7 @@
use Apache2::Const -compile => qw(OK);
-$Apache2::Status::VERSION = '4.00'; # mod_perl 2.0
+$Apache2::Status::VERSION = '4.01'; # mod_perl 2.0
use constant IS_WIN32 => ($^O eq "MSWin32");
@@ -126,7 +126,7 @@
$r->print(symdump($r, $qs));
}
else {
- my $uri = $r->uri;
+ my $uri = $r->location;
$r->print('<p>');
$r->print(
map { qq[<a href="$uri?$_">$status{$_}</a><br />\n] } sort { lc $a cmp lc $b } keys %status
@@ -198,7 +198,7 @@
sub status_inc {
my ($r) = @_;
- my $uri = $r->uri;
+ my $uri = $r->location;
my @retval = (
'<table border="1">',
"<tr>",
@@ -289,7 +289,7 @@
my ($r) = @_;
local $_;
- my $uri = $r->uri;
+ my $uri = $r->location;
my $cache = __PACKAGE__->registry_cache;
my @retval = "<h2>Compiled registry scripts grouped by their handler</h2>";
@@ -765,7 +765,7 @@
my ($self, $package, $r) = @_;
my @m = qw(<table>);
- my $uri = $r->uri;
+ my $uri = $r->location;
my $is_main = $package eq "main";
my $do_dump = has($r, "dumper");
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@perl.apache.org
For additional commands, e-mail: dev-h...@perl.apache.org
