Use the pcidss/v2.6 branch. https://github.com/goochjj/pound/archive/pcidss/v2.6.zip
https://github.com/goochjj/pound/tree/pcidss/v2.6 I’ve added the SNI optimization (one line fix)… And the XSS fix… since that’s in the spirit of the pcidss compliance branch anyway. Joe From: [email protected] [mailto:[email protected]] Sent: Tuesday, August 06, 2013 6:20 AM To: [email protected] Subject: Aw: RE: [Pound Mailing List] port 80 redirect and XSS Hi Joe, I´m glad to hear from you. We are using a 2.6f with a patch for ssl_renegotitation_and_ciphers_v2 and a patch for SNI_Optimization. Which Version can we use to keep the patches and get rid of our XSS-Problem ? Kind regards fatcharly Gesendet: Montag, 05. August 2013 um 18:34 Uhr Von: "Joe Gooch" <[email protected]<mailto:[email protected]>> An: 'Pound' <[email protected]<mailto:[email protected]>> Betreff: RE: [Pound Mailing List] port 80 redirect and XSS Are you using the stage for upstream 2.7b branch? Or running this patch? https://github.com/goochjj/pound/commit/8b29ed0e1a6760de395b64274c5de95ad05143fe.diff Joe From: [email protected]<mailto:[email protected]> [mailto:[email protected]] Sent: Monday, August 05, 2013 10:37 AM To: Pound Subject: [Pound Mailing List] port 80 redirect and XSS Hi, we are using pound on a centos 6 base and it works fine. A few days ago we had a security scan and now there is a problem with xss (cross site scripting). When the client connects on port 80 an ask about a link with bad code in it (GET /"><script>alert(document.domain)</script>.html HTTP/1.1), the pound-system replies with a 300-Code and the full request. Is it possible to filter or do a url-encoding/html-encoding before the 300-Reply gets back to the browser ? Or what else can we do to resolve this issue. Any suggestions are welcome kind regards fatcharly -- To unsubscribe send an email with subject unsubscribe to [email protected]. Please contact [email protected] for questions. -- To unsubscribe send an email with subject unsubscribe to [email protected]<mailto:[email protected]>. Please contact [email protected]<mailto:[email protected]> for questions.
