Cross Site Scripting security issue

From: Robert Zilbauer (zilbauerat_private)
Date: Wed Feb 02 2000 - 18:54:53 PST

Next message: Ben Greenbaum: "Re: Windows NT and account list leak ! A new SID usage"

Previous message: Erik Gjertsen: "Re: [xforceat_private: ISSalert: ISS E-Security Alert: Form"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>Date: Wed, 2 Feb 2000 12:22:12 -0700 (MST)
>From: Marc Slemko <marcsat_private>
>To: announceat_private
>Subject: Cross Site Scripting security issue
>
>-----BEGIN PGP SIGNED MESSAGE-----
>
>As you may already be aware, today CERT released an advisory about
>a security vulnerability that has been discovered associated with
>malicious HTML tags (especially scripting tags) being embedded in
>client web requests.  The common name currently associated with this
>problem is "Cross Site Scripting", even though this name is not entirely
>accurate in its description of the problem.
>
>Please review the CERT advisory available at:
>
>        http://www.cert.org/advisories/CA-2000-02.html
>
>for more details.  Pay particular attention to their Tech Tip for
>Web Developers, available at:
>
>        http://www.cert.org/tech_tips/malicious_code_mitigation.html
>
>There are a number of ways in which this issue impacts Apache itself,
>and many more ways in which it impacts sites developed using related
>technologies such as Apache modules, CGI scripts, mod_perl, PHP, etc.
>that runs on top of Apache.  We have put together some information
>about this and it is available at:
>
>        http://www.apache.org/info/css-security/
>
>Please visit this page for more information if you think this
>problem impacts your site or if you don't understand if the problem
>impacts your site.  Included on this page are patches to Apache to
>fix a number of related bugs and to add a number of features that
>may be helpful in defending against this type of attack.  We expect to
>release a new version of Apache in the immediate future that includes
>these patches, but do not yet have an exact timeline planned for this
>release.
>
>Please note that this issue does not in any way compromise the security
>of your server directly.  All the issues related to this involve tricking
>a client into doing something that is not what the user intends.
>
>We expect to update our pages with more information in the future,
>as more of the details of and consequences of this issue are
>discovered.
>
>
>- --
>     Marc Slemko     | Apache Software Foundation member
>     marcsat_private  | marcat_private
>
>-----BEGIN PGP SIGNATURE-----
>Version: PGPfreeware 5.0i for non-commercial use
>Charset: noconv
>
>iQCVAwUBOJiD51Qv/g4Arev1AQFp+AP+PYknXFPhcFExJvrZ2OdXhR43w2Fwuhgp
>UzhJFj8WLnpuaXNipQnE5/lVxNu2s7X6hshPP9GpDUkhU8u0WMXcJqydI4+/1OEV
>O2yRhVeIMwhE8k38SDxIiJJ+DsPQJ5p/Rfi8tZRh4GneSU5JBhY3d5hkumfsPocs
>NZYgV5YnhRs=
>=fSkT
>-----END PGP SIGNATURE-----
>
>
-----
Robert C. Zilbauer, Jr.                          Long live the new flesh.
Primary: zilbauerat_private                  Secondary: zilbauerat_private

          "Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn."

Next message: Ben Greenbaum: "Re: Windows NT and account list leak ! A new SID usage"
Previous message: Erik Gjertsen: "Re: [xforceat_private: ISSalert: ISS E-Security Alert: Form"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:33:20 PDT