According to
http://svn.apache.org/viewvc?view=rev&rev=549159
"mod_status: Fix a possible XSS attack against a site with a public
server-status page and ExtendedStatus enabled, for browsers which perform
charset "detection". Reported by Stefan Esser. [Joe Orton]"
Note that the default is not to have a public server-status page, and in itself
making server-status public could leak sensitive information about your site.
Comment 6Red Hat Product Security
2008-01-14 16:32:30 UTC