Patch is included in my stage for upstream 2.7a and 2.7b branches. (and has been since like Feb 2012) https://github.com/goochjj/pound/tree/stage_for_upstream/v2.7b
Zip download here: https://github.com/goochjj/pound/archive/stage_for_upstream/v2.7b.zip Patch is not in 2.7a. Don't know what's slated for the next pre, nor when it will happen. Joe > -----Original Message----- > From: Paul Reeves [mailto:[email protected]] > Sent: Friday, January 04, 2013 5:47 AM > To: [email protected] > Subject: [Pound Mailing List] XSS, redirects and 30x Status pages > > > About a year ago Kevin Bowling submitted a patch wrt the subject, but > it doesn't seem to have been committed (at least, it doesn't seem to be > in the code for 2.7a). > > Basically the problem is this: > > pci/dss scans send an XSS test that gets redirected by pound. Users > see the redirected page. The pci/dss scan sees an unsanitized 30x > status page from pound that includes the potential XSS vulnerability. > > The vulnerability is not real, afaict, but the aggravation of > establishing pci/dss certfication is. > > Is the patch available for testing? Or is there another way of dealing > with this issue. > > > Paul > -- > Paul Reeves > http://www.ibphoenix.com > Supporting users of Firebird > > -- > To unsubscribe send an email with subject unsubscribe to > [email protected]. > Please contact [email protected] for questions. -- To unsubscribe send an email with subject unsubscribe to [email protected]. Please contact [email protected] for questions.
