You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by McIrvin <mc...@mojounlimited.com> on 2002/04/05 23:48:05 UTC
cross-site scripting
Does anyone know how the cross-site scripting issue has been addressed in
the current (1.3.24) release of Apache? The last reference to this problem
was back in version 1.3.12 I think. I was reminded of this as Nessus still
points it out as a security hole in Apache.
Any news on the state of this vulnerability?
McIrvin
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: cross-site scripting
Posted by Joshua Slive <jo...@slive.ca>.
On Fri, 5 Apr 2002, McIrvin wrote:
> Does anyone know how the cross-site scripting issue has been addressed in
> the current (1.3.24) release of Apache? The last reference to this problem
> was back in version 1.3.12 I think. I was reminded of this as Nessus still
> points it out as a security hole in Apache.
>
> Any news on the state of this vulnerability?
This never really was a vulnerability in Apache. Apache did a few things
that made it easier to expose, but those were fixed long ago. The real
vulnerability is in dynamic content generators like CGI scripts, SSI
pages, PHP scripts, etc.
See:
http://httpd.apache.org/info/css-security/
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org