You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Marc Slemko <ma...@znep.com> on 2000/02/02 20:22:12 UTC

Cross Site Scripting security issue

-----BEGIN PGP SIGNED MESSAGE-----

As you may already be aware, today CERT released an advisory about
a security vulnerability that has been discovered associated with
malicious HTML tags (especially scripting tags) being embedded in
client web requests.  The common name currently associated with this
problem is "Cross Site Scripting", even though this name is not entirely
accurate in its description of the problem.

Please review the CERT advisory available at:

        http://www.cert.org/advisories/CA-2000-02.html

for more details.  Pay particular attention to their Tech Tip for
Web Developers, available at:

        http://www.cert.org/tech_tips/malicious_code_mitigation.html

There are a number of ways in which this issue impacts Apache itself,
and many more ways in which it impacts sites developed using related
technologies such as Apache modules, CGI scripts, mod_perl, PHP, etc.
that runs on top of Apache.  We have put together some information
about this and it is available at:

        http://www.apache.org/info/css-security/

Please visit this page for more information if you think this
problem impacts your site or if you don't understand if the problem
impacts your site.  Included on this page are patches to Apache to
fix a number of related bugs and to add a number of features that
may be helpful in defending against this type of attack.  We expect to
release a new version of Apache in the immediate future that includes
these patches, but do not yet have an exact timeline planned for this
release.

Please note that this issue does not in any way compromise the security
of your server directly.  All the issues related to this involve tricking
a client into doing something that is not what the user intends.

We expect to update our pages with more information in the future,
as more of the details of and consequences of this issue are
discovered.


- --
     Marc Slemko     | Apache Software Foundation member
     marcs@znep.com  | marc@apache.org

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv

iQCVAwUBOJiD51Qv/g4Arev1AQFp+AP+PYknXFPhcFExJvrZ2OdXhR43w2Fwuhgp
UzhJFj8WLnpuaXNipQnE5/lVxNu2s7X6hshPP9GpDUkhU8u0WMXcJqydI4+/1OEV
O2yRhVeIMwhE8k38SDxIiJJ+DsPQJ5p/Rfi8tZRh4GneSU5JBhY3d5hkumfsPocs
NZYgV5YnhRs=
=fSkT
-----END PGP SIGNATURE-----

--HcAYCG3uE/tztfnV--