>Date: Wed, 2 Feb 2000 12:22:12 -0700 (MST) >From: Marc Slemko <marcsat_private> >To: announceat_private >Subject: Cross Site Scripting security issue > >-----BEGIN PGP SIGNED MESSAGE----- > >As you may already be aware, today CERT released an advisory about >a security vulnerability that has been discovered associated with >malicious HTML tags (especially scripting tags) being embedded in >client web requests. The common name currently associated with this >problem is "Cross Site Scripting", even though this name is not entirely >accurate in its description of the problem. > >Please review the CERT advisory available at: > > http://www.cert.org/advisories/CA-2000-02.html > >for more details. Pay particular attention to their Tech Tip for >Web Developers, available at: > > http://www.cert.org/tech_tips/malicious_code_mitigation.html > >There are a number of ways in which this issue impacts Apache itself, >and many more ways in which it impacts sites developed using related >technologies such as Apache modules, CGI scripts, mod_perl, PHP, etc. >that runs on top of Apache. We have put together some information >about this and it is available at: > > http://www.apache.org/info/css-security/ > >Please visit this page for more information if you think this >problem impacts your site or if you don't understand if the problem >impacts your site. Included on this page are patches to Apache to >fix a number of related bugs and to add a number of features that >may be helpful in defending against this type of attack. We expect to >release a new version of Apache in the immediate future that includes >these patches, but do not yet have an exact timeline planned for this >release. > >Please note that this issue does not in any way compromise the security >of your server directly. All the issues related to this involve tricking >a client into doing something that is not what the user intends. > >We expect to update our pages with more information in the future, >as more of the details of and consequences of this issue are >discovered. > > >- -- > Marc Slemko | Apache Software Foundation member > marcsat_private | marcat_private > >-----BEGIN PGP SIGNATURE----- >Version: PGPfreeware 5.0i for non-commercial use >Charset: noconv > >iQCVAwUBOJiD51Qv/g4Arev1AQFp+AP+PYknXFPhcFExJvrZ2OdXhR43w2Fwuhgp >UzhJFj8WLnpuaXNipQnE5/lVxNu2s7X6hshPP9GpDUkhU8u0WMXcJqydI4+/1OEV >O2yRhVeIMwhE8k38SDxIiJJ+DsPQJ5p/Rfi8tZRh4GneSU5JBhY3d5hkumfsPocs >NZYgV5YnhRs= >=fSkT >-----END PGP SIGNATURE----- > > ----- Robert C. Zilbauer, Jr. Long live the new flesh. Primary: zilbauerat_private Secondary: zilbauerat_private "Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn."
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:33:20 PDT